├── VERSION
├── test
├── selenium_test
│ ├── requirements.txt
│ ├── Dockerfile
│ ├── docker-entrypoint.sh
│ ├── test.py
│ └── wait-for-it.sh
├── mock_server
│ ├── requirements.txt
│ ├── Dockerfile
│ ├── certificate_gen.sh
│ └── cloudflare_access_mockserver.py
├── nginx_ssl_proxy
│ ├── Dockerfile
│ ├── gen_ssl.sh
│ ├── nginx.conf
│ ├── proxy.csr
│ ├── proxy.crt
│ └── proxy.key
├── docker-compose.yml
└── README.md
├── src
├── sentry_cloudflare_access_auth
│ ├── __init__.py
│ ├── templates
│ │ └── cloudflareaccess
│ │ │ └── error.html
│ ├── helper.py
│ ├── backend.py
│ └── middleware.py
├── MANIFEST.in
├── setup.py
├── README.md
└── LICENSE
├── sentry-docker-9x
├── requirements.txt
├── docker-compose-e2e.yml
├── .dockerignore
├── e2e.env
├── install-noinput.sh
├── .env.example
├── .travis.yml
├── Makefile
├── Dockerfile
├── test.sh
├── .gitignore
├── proxy.crt
├── docker-compose.yml
├── config.yml
├── README.md
├── install.sh
├── LICENSE
└── sentry.conf.py
├── sentry-docker-10x
├── sentry
│ ├── requirements.txt
│ ├── Dockerfile
│ └── config.example.yml
├── sentry.example.env
├── docker-compose-e2e.yml
├── e2e.env
├── install-noinput.sh
├── cron
│ ├── Dockerfile
│ └── entrypoint.sh
├── Makefile
├── .travis.yml
├── test.sh
├── .gitignore
├── proxy.crt
├── README.md
├── LICENSE
├── docker-compose.yml
└── install.sh
├── rebuild-docker-9x.sh
├── rebuild-docker-10x.sh
├── .github
└── workflows
│ └── semgrep.yml
├── test.sh
├── .gitignore
├── README.md
└── LICENSE
/VERSION:
--------------------------------------------------------------------------------
1 | 1.0.0
--------------------------------------------------------------------------------
/test/selenium_test/requirements.txt:
--------------------------------------------------------------------------------
1 | selenium
--------------------------------------------------------------------------------
/src/sentry_cloudflare_access_auth/__init__.py:
--------------------------------------------------------------------------------
1 | from __future__ import absolute_import
--------------------------------------------------------------------------------
/test/mock_server/requirements.txt:
--------------------------------------------------------------------------------
1 | python_jwt
2 | pyOpenSSL
3 | flask
4 | flask_restful
--------------------------------------------------------------------------------
/sentry-docker-9x/requirements.txt:
--------------------------------------------------------------------------------
1 | /usr/src/sentry/sentry_cloudflare_access_auth-dev-py2-none-any.whl
--------------------------------------------------------------------------------
/sentry-docker-10x/sentry/requirements.txt:
--------------------------------------------------------------------------------
1 | /usr/src/sentry/sentry_cloudflare_access_auth-dev-py2-none-any.whl
--------------------------------------------------------------------------------
/sentry-docker-10x/sentry.example.env:
--------------------------------------------------------------------------------
1 | CF_POLICY_AUD="YOUR POLICY AUDIENCE VALUE"
2 | CF_AUTH_DOMAIN="YOUR ACCESS LOGIN PAGE DOMAIN"
--------------------------------------------------------------------------------
/src/MANIFEST.in:
--------------------------------------------------------------------------------
1 | include setup.py README.md MANIFEST.in LICENSE
2 | recursive-include sentry_cloudflare_access_auth *
3 | global-exclude *~
--------------------------------------------------------------------------------
/test/nginx_ssl_proxy/Dockerfile:
--------------------------------------------------------------------------------
1 | FROM nginx
2 |
3 | COPY nginx.conf /etc/nginx/nginx.conf
4 |
5 | RUN mkdir /etc/nginx/ssl
6 | COPY proxy.* /etc/nginx/ssl/
7 |
--------------------------------------------------------------------------------
/sentry-docker-10x/docker-compose-e2e.yml:
--------------------------------------------------------------------------------
1 | version: '3.4'
2 |
3 | services:
4 | web:
5 | env_file: e2e.env
6 | volumes:
7 | - ./proxy.crt:/e2e/cabundle/proxy.crt
--------------------------------------------------------------------------------
/sentry-docker-9x/docker-compose-e2e.yml:
--------------------------------------------------------------------------------
1 | version: '3.4'
2 |
3 | services:
4 | web:
5 | env_file: e2e.env
6 | volumes:
7 | - ./proxy.crt:/e2e/cabundle/proxy.crt
--------------------------------------------------------------------------------
/test/selenium_test/Dockerfile:
--------------------------------------------------------------------------------
1 | FROM python:2.7
2 |
3 | COPY . /selenium
4 |
5 | WORKDIR /selenium
6 |
7 | RUN pip install -r requirements.txt
8 |
9 | ENTRYPOINT ["./docker-entrypoint.sh"]
--------------------------------------------------------------------------------
/sentry-docker-9x/.dockerignore:
--------------------------------------------------------------------------------
1 | .git
2 | .gitignore
3 | .dockerignore
4 | Makefile
5 | README.md
6 | *.pyc
7 | *.tar
8 | docker-compose.yml
9 | data/
10 | .travis.yml
11 | install.sh
12 | test.sh
13 |
--------------------------------------------------------------------------------
/sentry-docker-10x/e2e.env:
--------------------------------------------------------------------------------
1 | #Env file for e2e test suite
2 |
3 | CF_POLICY_AUD=f73c7a6712258428dd625be8da1f6660b74d9a10d8877f579f8429490baa3a64
4 | CF_AUTH_DOMAIN=securesentry
5 | REQUESTS_CA_BUNDLE=/e2e/cabundle/proxy.crt
--------------------------------------------------------------------------------
/sentry-docker-9x/e2e.env:
--------------------------------------------------------------------------------
1 | #Env file for e2e test suite
2 |
3 | CF_POLICY_AUD=f73c7a6712258428dd625be8da1f6660b74d9a10d8877f579f8429490baa3a64
4 | CF_AUTH_DOMAIN=securesentry
5 | REQUESTS_CA_BUNDLE=/e2e/cabundle/proxy.crt
--------------------------------------------------------------------------------
/sentry-docker-10x/install-noinput.sh:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bash
2 | set -e
3 |
4 | export CI=true
5 | ./install.sh
6 | docker-compose run --rm web createuser --email="user@testcompany.com" --password="01!3q2.0qa#dad" --superuser
7 |
--------------------------------------------------------------------------------
/sentry-docker-9x/install-noinput.sh:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bash
2 | set -e
3 |
4 | export CI=true
5 | ./install.sh
6 | docker-compose run --rm web createuser --email="user@testcompany.com" --password="01!3q2.0qa#dad" --superuser
7 |
--------------------------------------------------------------------------------
/test/mock_server/Dockerfile:
--------------------------------------------------------------------------------
1 | FROM python:2.7
2 |
3 | COPY . /app
4 |
5 | WORKDIR /app
6 |
7 | RUN pip install -r requirements.txt
8 | RUN ./certificate_gen.sh
9 |
10 | ENTRYPOINT ["python"]
11 |
12 | CMD ["cloudflare_access_mockserver.py"]
--------------------------------------------------------------------------------
/sentry-docker-9x/.env.example:
--------------------------------------------------------------------------------
1 | CF_POLICY_AUD="YOUR POLICY AUDIENCE VALUE"
2 | CF_AUTH_DOMAIN="YOUR ACCESS LOGIN PAGE DOMAIN"
3 | # Run `docker-compose run web config generate-secret-key`
4 | # to get the SENTRY_SECRET_KEY value.
5 | SENTRY_SECRET_KEY=
6 |
--------------------------------------------------------------------------------
/test/selenium_test/docker-entrypoint.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | set -e
3 |
4 | WAIT_CMD="./wait-for-it.sh -s -t 30"
5 |
6 | $WAIT_CMD selenium_server:4444 \
7 | -- $WAIT_CMD cloudflare_mock_server:5000 \
8 | -- $WAIT_CMD securesentry:443 \
9 | -- python test.py
--------------------------------------------------------------------------------
/sentry-docker-10x/cron/Dockerfile:
--------------------------------------------------------------------------------
1 | ARG BASE_IMAGE
2 | FROM ${BASE_IMAGE}
3 | RUN apt-get update && apt-get install -y --no-install-recommends cron && \
4 | rm -r /var/lib/apt/lists/*
5 | COPY entrypoint.sh /entrypoint.sh
6 | ENTRYPOINT ["/entrypoint.sh"]
7 |
--------------------------------------------------------------------------------
/test/mock_server/certificate_gen.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | set -e
3 |
4 | for i in 1 2
5 | do
6 | KEY_NAME="cert_0"$i
7 | ssh-keygen -t rsa -b 4096 -m PEM -P "" -f $KEY_NAME.key
8 | openssl rsa -in $KEY_NAME.key -pubout -outform PEM -out $KEY_NAME.key.pub
9 | echo ">>> Generated Certificate $i:"
10 | cat $KEY_NAME.key
11 | cat $KEY_NAME.key.pub
12 | done
--------------------------------------------------------------------------------
/rebuild-docker-9x.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | set -e
3 |
4 | SENTRY_DC_PREFIX=sentry-docker-9x
5 | export SENTRY_IMAGE='sentry:9.1.2'
6 |
7 | ./build-package.sh
8 |
9 | cd $SENTRY_DC_PREFIX/
10 |
11 | docker stop $SENTRY_DC_PREFIX"_cron_1" $SENTRY_DC_PREFIX"_web_1" $SENTRY_DC_PREFIX"_worker_1"
12 | docker-compose up -d --build
13 |
14 | cd ..
15 |
16 | echo "sentry-docker 9x rebuilt!"
17 |
--------------------------------------------------------------------------------
/rebuild-docker-10x.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | set -e
3 |
4 | SENTRY_DC_PREFIX=sentry-docker-10x
5 |
6 | ./build-package.sh
7 |
8 | cd $SENTRY_DC_PREFIX/
9 |
10 | docker stop $SENTRY_DC_PREFIX"_cron_1" $SENTRY_DC_PREFIX"_web_1" $SENTRY_DC_PREFIX"_worker_1"
11 | docker rmi -f sentry-onpremise-local
12 | docker-compose build
13 | docker-compose up -d
14 |
15 | cd ..
16 |
17 | echo "sentry-docker 10x rebuilt!"
18 |
--------------------------------------------------------------------------------
/test/nginx_ssl_proxy/gen_ssl.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | set -e
3 |
4 | SUBJ="/C=US/ST=California/L=San Francisco/O=Global Security/OU=IT Department/CN=securesentry"
5 | openssl req -nodes -newkey rsa:2048 -keyout proxy.key -subj "$SUBJ"
6 | openssl req -new -key proxy.key -out proxy.csr -subj "$SUBJ"
7 | openssl x509 -req -days 365 -in proxy.csr -signkey proxy.key -out proxy.crt
8 |
9 | echo "Certificates ready, remember to update sentry-docker CAs!"
--------------------------------------------------------------------------------
/sentry-docker-9x/.travis.yml:
--------------------------------------------------------------------------------
1 | language: bash
2 | services: docker
3 |
4 | env:
5 | - SENTRY_IMAGE=sentry:9.1.2
6 | - SENTRY_IMAGE=getsentry/sentry:git
7 |
8 | script:
9 | - ./install.sh
10 | - docker-compose run --rm web createuser --superuser --email test@sentry.io --password test123TEST
11 | - docker-compose up -d
12 | - timeout 60 bash -c 'until $(curl -Isf -o /dev/null http://localhost:9000); do printf '.'; sleep 0.5; done'
13 | - ./test.sh
14 |
--------------------------------------------------------------------------------
/sentry-docker-10x/cron/entrypoint.sh:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bash
2 |
3 | # Prior art:
4 | # - https://git.io/fjNOg
5 | # - https://blog.knoldus.com/running-a-cron-job-in-docker-container/
6 |
7 | declare -p | grep -Ev 'BASHOPTS|BASH_VERSINFO|EUID|PPID|SHELLOPTS|UID' > /container.env
8 |
9 | { for cron_job in "$@"; do echo -e "SHELL=/bin/bash
10 | BASH_ENV=/container.env
11 | ${cron_job} > /proc/1/fd/1 2>/proc/1/fd/2"; done } \
12 | | sed --regexp-extended 's/\\(.)/\1/g' \
13 | | crontab -
14 | crontab -l
15 | exec cron -f -l -L 15
16 |
--------------------------------------------------------------------------------
/src/sentry_cloudflare_access_auth/templates/cloudflareaccess/error.html:
--------------------------------------------------------------------------------
1 | {% extends "sentry/bases/auth.html" %}
2 |
3 | {% load crispy_forms_tags %}
4 | {% load i18n %}
5 |
6 | {% block title %}{% trans "Cloudflare access error" %} | {{ block.super }}{% endblock %}
7 |
8 | {% block auth_main %}
9 |
10 |
11 | Authorization Error
12 |
13 |
14 | Cloudflare access error
15 |
16 |
19 | {% endblock %}
--------------------------------------------------------------------------------
/test/nginx_ssl_proxy/nginx.conf:
--------------------------------------------------------------------------------
1 | events {}
2 |
3 | http {
4 | server {
5 | server_name securesentry;
6 |
7 | return 301 https://$host$request_uri;
8 | }
9 |
10 | server {
11 | listen 443 ssl;
12 |
13 | server_name securesentry;
14 |
15 | ssl_certificate /etc/nginx/ssl/proxy.crt;
16 | ssl_certificate_key /etc/nginx/ssl/proxy.key;
17 |
18 | location /cdn-cgi/ {
19 | proxy_pass https://cloudflare_mock_server:5000/cdn-cgi/;
20 | }
21 |
22 | location / {
23 | proxy_pass http://web:9000;
24 | proxy_set_header Host $http_host;
25 | }
26 | }
27 |
28 | }
--------------------------------------------------------------------------------
/sentry-docker-10x/Makefile:
--------------------------------------------------------------------------------
1 | REPOSITORY?=sentry-onpremise
2 | TAG?=latest
3 |
4 | OK_COLOR=\033[32;01m
5 | NO_COLOR=\033[0m
6 |
7 | build:
8 | @printf "$(OK_COLOR)==>$(NO_COLOR) Building $(REPOSITORY):$(TAG)\n"
9 | @docker build --pull --rm -t $(REPOSITORY):$(TAG) . --build-arg SENTRY_IMAGE=sentry:9.1
10 |
11 | $(REPOSITORY)_$(TAG).tar: build
12 | @printf "$(OK_COLOR)==>$(NO_COLOR) Saving $(REPOSITORY):$(TAG) > $@\n"
13 | @docker save $(REPOSITORY):$(TAG) > $@
14 |
15 | push: build
16 | @printf "$(OK_COLOR)==>$(NO_COLOR) Pushing $(REPOSITORY):$(TAG)\n"
17 | @docker push $(REPOSITORY):$(TAG)
18 |
19 | all: build push
20 |
21 | .PHONY: all build push
22 |
--------------------------------------------------------------------------------
/sentry-docker-9x/Makefile:
--------------------------------------------------------------------------------
1 | REPOSITORY?=sentry-onpremise
2 | TAG?=latest
3 |
4 | OK_COLOR=\033[32;01m
5 | NO_COLOR=\033[0m
6 |
7 | build:
8 | @printf "$(OK_COLOR)==>$(NO_COLOR) Building $(REPOSITORY):$(TAG)\n"
9 | @docker build --pull --rm -t $(REPOSITORY):$(TAG) . --build-arg SENTRY_IMAGE=sentry:9.1
10 |
11 | $(REPOSITORY)_$(TAG).tar: build
12 | @printf "$(OK_COLOR)==>$(NO_COLOR) Saving $(REPOSITORY):$(TAG) > $@\n"
13 | @docker save $(REPOSITORY):$(TAG) > $@
14 |
15 | push: build
16 | @printf "$(OK_COLOR)==>$(NO_COLOR) Pushing $(REPOSITORY):$(TAG)\n"
17 | @docker push $(REPOSITORY):$(TAG)
18 |
19 | all: build push
20 |
21 | .PHONY: all build push
22 |
--------------------------------------------------------------------------------
/.github/workflows/semgrep.yml:
--------------------------------------------------------------------------------
1 |
2 | on:
3 | pull_request: {}
4 | workflow_dispatch: {}
5 | push:
6 | branches:
7 | - main
8 | - master
9 | schedule:
10 | - cron: '0 0 * * *'
11 | name: Semgrep config
12 | jobs:
13 | semgrep:
14 | name: semgrep/ci
15 | runs-on: ubuntu-20.04
16 | env:
17 | SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
18 | SEMGREP_URL: https://cloudflare.semgrep.dev
19 | SEMGREP_APP_URL: https://cloudflare.semgrep.dev
20 | SEMGREP_VERSION_CHECK_URL: https://cloudflare.semgrep.dev/api/check-version
21 | container:
22 | image: returntocorp/semgrep
23 | steps:
24 | - uses: actions/checkout@v3
25 | - run: semgrep ci
26 |
--------------------------------------------------------------------------------
/sentry-docker-10x/.travis.yml:
--------------------------------------------------------------------------------
1 | language: bash
2 | services: docker
3 |
4 | env:
5 | - DOCKER_COMPOSE_VERSION=1.24.1
6 |
7 | before_install:
8 | - sudo rm /usr/local/bin/docker-compose
9 | - curl -L https://github.com/docker/compose/releases/download/${DOCKER_COMPOSE_VERSION}/docker-compose-`uname -s`-`uname -m` > docker-compose
10 | - chmod +x docker-compose
11 | - sudo mv docker-compose /usr/local/bin
12 |
13 | script:
14 | - ./install.sh
15 | - docker-compose run --rm web createuser --superuser --email test@example.com --password test123TEST
16 | - docker-compose up -d
17 | - timeout 60 bash -c 'until $(curl -Isf -o /dev/null http://localhost:9000); do printf '.'; sleep 0.5; done'
18 | - ./test.sh
19 |
--------------------------------------------------------------------------------
/sentry-docker-9x/Dockerfile:
--------------------------------------------------------------------------------
1 | ARG SENTRY_IMAGE
2 | FROM ${SENTRY_IMAGE:-sentry:9.1.2}-onbuild
3 |
4 | WORKDIR /usr/src/sentry
5 |
6 | # Add WORKDIR to PYTHONPATH so local python files don't need to be installed
7 | ENV PYTHONPATH /usr/src/sentry
8 | COPY . /usr/src/sentry
9 |
10 | RUN ls /usr/src/sentry
11 |
12 | # Hook for installing additional plugins
13 | RUN if [ -s requirements.txt ]; then pip install -r requirements.txt; fi
14 |
15 | # Hook for installing a local app as an addon
16 | RUN if [ -s setup.py ]; then pip install -e .; fi
17 |
18 | # Hook for staging in custom configs
19 | RUN if [ -s sentry.conf.py ]; then cp sentry.conf.py $SENTRY_CONF/; fi \
20 | && if [ -s config.yml ]; then cp config.yml $SENTRY_CONF/; fi
--------------------------------------------------------------------------------
/test/docker-compose.yml:
--------------------------------------------------------------------------------
1 | version: '3.5'
2 |
3 | x-defaults: &defaults
4 | networks:
5 | - sentry_network
6 |
7 | services:
8 | selenium_server:
9 | <<: *defaults
10 | image: selenium/standalone-firefox-debug
11 | ports:
12 | - 15900:5900
13 | volumes:
14 | - /dev/shm:/dev/shm
15 |
16 | cloudflare_mock_server:
17 | <<: *defaults
18 | build: ./mock_server
19 |
20 | securesentry:
21 | <<: *defaults
22 | build: ./nginx_ssl_proxy
23 | ports:
24 | - 8080:80
25 | - 8443:443
26 |
27 | selenium_test:
28 | <<: *defaults
29 | build: ./selenium_test
30 |
31 |
32 | networks:
33 | sentry_network:
34 | external: true
35 | name: ${SENTRY_EXTERNAL_NETWORK_NAME}
--------------------------------------------------------------------------------
/sentry-docker-10x/sentry/Dockerfile:
--------------------------------------------------------------------------------
1 | ARG SENTRY_IMAGE
2 | FROM ${SENTRY_IMAGE:-getsentry/sentry:latest}
3 |
4 | WORKDIR /usr/src/sentry
5 |
6 | # Add WORKDIR to PYTHONPATH so local python files don't need to be installed
7 | ENV PYTHONPATH /usr/src/sentry
8 | COPY . /usr/src/sentry
9 |
10 | RUN ls /usr/src/sentry
11 |
12 | # Hook for installing additional plugins
13 | RUN if [ -s requirements.txt ]; then pip install -r requirements.txt; fi
14 |
15 | # Hook for installing a local app as an addon
16 | RUN if [ -s setup.py ]; then pip install -e .; fi
17 |
18 | # Hook for staging in custom configs
19 | RUN if [ -s sentry.conf.py ]; then cp sentry.conf.py $SENTRY_CONF/; fi \
20 | && if [ -s config.yml ]; then cp config.yml $SENTRY_CONF/; fi
21 |
--------------------------------------------------------------------------------
/test/nginx_ssl_proxy/proxy.csr:
--------------------------------------------------------------------------------
1 | -----BEGIN CERTIFICATE REQUEST-----
2 | MIICyTCCAbECAQAwgYMxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlh
3 | MRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMRgwFgYDVQQKDA9HbG9iYWwgU2VjdXJp
4 | dHkxFjAUBgNVBAsMDUlUIERlcGFydG1lbnQxFTATBgNVBAMMDHNlY3VyZXNlbnRy
5 | eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKQUW/bJC+Y+33n+Sv7d
6 | aLShKx2RvTqebriWr0fpspw6EAcPP901ShGLleD+q5bVYii9e0HabanZDe2ecMM1
7 | 3Iz6QlxJFkSeYm7Vtoa01iqm06el2lS/p7RTfSlPJJQRvUb8z6PKx7P4mK+sfyf9
8 | EYVeU47HIQWry2p7fv1InO7Uck8ge4ThB0D4Mm/n20wn71603v5KkY4NZiOR59Vc
9 | uEkxwcaQp7RZ7Fmv2zlgsD5vCPRWjcMKHaX9QMrxjcvD4HTtCy1s2tUg3jHQ5sAz
10 | gvlZWucUQkV87YV7yHY8G2aFv/q5jS+/H8lZidMF2LRXd8G0x+B/N4qgSx7x0owH
11 | 6bMCAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IBAQChJIL1VD+/bmynASJ7R+K1dS4v
12 | XaeZcEVc8St7vBTimtNn4mjYLWfxt5xprjYyqdX16TNaAHAEOqsDSA2Qq82J/DfC
13 | aBYGGOcFyKh/8gQm7tD/8O7FC4tMaBAvHTyJA8qacW3c8XZLqv7mELOiFALt58l7
14 | e2rtR6ReCMPRl4Sh0XtJI1motE4kNcu94ZcBVahLI9Vu1YuMXEpjA6TQ+mknulP1
15 | YcivxdjugdB26TZDGVi/uPUwUC0nSsXsqY84iGi8rQZoVeojxwPMUkwY1GKZNbxh
16 | +Wz3VQlIz4WiaDG38KU5OTX5bgyj+fS2CXMzYHSgUDr2h3Z7eFK3kTpDawMb
17 | -----END CERTIFICATE REQUEST-----
18 |
--------------------------------------------------------------------------------
/sentry-docker-9x/test.sh:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bash
2 | set -e
3 |
4 | TEST_USER='test@sentry.io'
5 | TEST_PASS='test123TEST'
6 | COOKIE_FILE=$(mktemp)
7 | declare -a TEST_STRINGS=(
8 | '"isAuthenticated":true'
9 | '"username":"test@sentry.io"'
10 | '"isSuperuser":true'
11 | )
12 |
13 | INITIAL_AUTH_REDIRECT=$(curl -sL -o /dev/null http://localhost:9000 -w %{url_effective})
14 | if [ "$INITIAL_AUTH_REDIRECT" != "http://localhost:9000/auth/login/sentry/" ]; then
15 | echo "Initial /auth/login/ redirect failed, exiting..."
16 | echo "$INITIAL_AUTH_REDIRECT"
17 | exit -1
18 | fi
19 |
20 | CSRF_TOKEN=$(curl http://localhost:9000 -sL -c "$COOKIE_FILE" | awk -F "'" '
21 | /csrfmiddlewaretoken/ {
22 | print $4 "=" $6;
23 | exit;
24 | }')
25 | LOGIN_RESPONSE=$(curl -sL -F 'op=login' -F "username=$TEST_USER" -F "password=$TEST_PASS" -F "$CSRF_TOKEN" http://localhost:9000/auth/login/ -H 'Referer: http://localhost/auth/login/' -b "$COOKIE_FILE" -c "$COOKIE_FILE")
26 |
27 | TEST_RESULT=0
28 | for i in "${TEST_STRINGS[@]}"
29 | do
30 | echo "Testing '$i'..."
31 | echo "$LOGIN_RESPONSE" | grep "$i[,}]" >& /dev/null
32 | echo "Pass."
33 | done
34 |
--------------------------------------------------------------------------------
/sentry-docker-10x/test.sh:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bash
2 | set -e
3 |
4 | SENTRY_TEST_HOST="${SENTRY_TEST_HOST:-http://localhost:9000}"
5 | TEST_USER='test@example.com'
6 | TEST_PASS='test123TEST'
7 | COOKIE_FILE=$(mktemp)
8 | declare -a TEST_STRINGS=(
9 | '"isAuthenticated":true'
10 | '"username":"test@example.com"'
11 | '"isSuperuser":true'
12 | )
13 |
14 | INITIAL_AUTH_REDIRECT=$(curl -sL -o /dev/null $SENTRY_TEST_HOST -w %{url_effective})
15 | if [ "$INITIAL_AUTH_REDIRECT" != "$SENTRY_TEST_HOST/auth/login/sentry/" ]; then
16 | echo "Initial /auth/login/ redirect failed, exiting..."
17 | echo "$INITIAL_AUTH_REDIRECT"
18 | exit -1
19 | fi
20 |
21 | CSRF_TOKEN=$(curl $SENTRY_TEST_HOST -sL -c "$COOKIE_FILE" | awk -F "'" '
22 | /csrfmiddlewaretoken/ {
23 | print $4 "=" $6;
24 | exit;
25 | }')
26 | LOGIN_RESPONSE=$(curl -sL -F 'op=login' -F "username=$TEST_USER" -F "password=$TEST_PASS" -F "$CSRF_TOKEN" "$SENTRY_TEST_HOST/auth/login/" -H "Referer: $SENTRY_TEST_HOST/auth/login/" -b "$COOKIE_FILE" -c "$COOKIE_FILE")
27 |
28 | TEST_RESULT=0
29 | for i in "${TEST_STRINGS[@]}"
30 | do
31 | echo "Testing '$i'..."
32 | echo "$LOGIN_RESPONSE" | grep "$i[,}]" >& /dev/null
33 | echo "Pass."
34 | done
35 |
--------------------------------------------------------------------------------
/test.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | set -e
3 |
4 | # load flags
5 | while getopts ct: option
6 | do
7 | case "${option}"
8 | in
9 | t) SENTRY_TARGET=$OPTARG;;
10 | c) CLEAN_ONLY=1;;
11 | esac
12 | done
13 |
14 | # setup vars
15 | TEST_PWD=`pwd`
16 | DC_SENTRY="sentry-docker-${SENTRY_TARGET:-10}x"
17 | DC_PROJ_NAME=$DC_SENTRY"-e2e"
18 | SENTRY_COMPOSE="docker-compose -f $DC_SENTRY/docker-compose.yml -f $DC_SENTRY/docker-compose-e2e.yml "
19 | TEST_COMPOSE="docker-compose -f test/docker-compose.yml "
20 |
21 | sentry_compose_cleanup () {
22 | # cleanup sentry with compose
23 | $SENTRY_COMPOSE down
24 |
25 | # remove volumes
26 | docker volume ls | grep sentry | awk -F' ' '{print "docker volume rm "$2}' | bash
27 | }
28 |
29 | sentry_compose_cleanup
30 |
31 |
32 | if [ -n "$CLEAN_ONLY" ]; then
33 | echo "clean finished!"
34 | exit
35 | fi
36 |
37 | # packages the plugin
38 | ./build-package.sh
39 |
40 | # install sentry for running the e2e suite
41 | cd $DC_SENTRY
42 | ./install-noinput.sh
43 | cd $TEST_PWD
44 |
45 | $SENTRY_COMPOSE up -d
46 |
47 | # run the suite
48 | export SENTRY_EXTERNAL_NETWORK_NAME=$DC_SENTRY"_default"
49 | $TEST_COMPOSE down
50 | $TEST_COMPOSE up --exit-code-from selenium_test --build
51 |
52 | sentry_compose_cleanup
--------------------------------------------------------------------------------
/sentry-docker-9x/.gitignore:
--------------------------------------------------------------------------------
1 | # Byte-compiled / optimized / DLL files
2 | __pycache__/
3 | *.py[cod]
4 | *$py.class
5 |
6 | # C extensions
7 | *.so
8 |
9 | # Distribution / packaging
10 | .Python
11 | env/
12 | build/
13 | develop-eggs/
14 | dist/
15 | downloads/
16 | eggs/
17 | .eggs/
18 | lib/
19 | lib64/
20 | parts/
21 | sdist/
22 | var/
23 | *.egg-info/
24 | .installed.cfg
25 | *.egg
26 |
27 | # PyInstaller
28 | # Usually these files are written by a python script from a template
29 | # before PyInstaller builds the exe, so as to inject date/other infos into it.
30 | *.manifest
31 | *.spec
32 |
33 | # Installer logs
34 | pip-log.txt
35 | pip-delete-this-directory.txt
36 |
37 | # Unit test / coverage reports
38 | htmlcov/
39 | .tox/
40 | .coverage
41 | .coverage.*
42 | .cache
43 | nosetests.xml
44 | coverage.xml
45 | *.cover
46 | .hypothesis/
47 |
48 | # Translations
49 | *.mo
50 | *.pot
51 |
52 | # Django stuff:
53 | *.log
54 | local_settings.py
55 |
56 | # Sphinx documentation
57 | docs/_build/
58 |
59 | # PyBuilder
60 | target/
61 |
62 | # Ipython Notebook
63 | .ipynb_checkpoints
64 |
65 | # pyenv
66 | .python-version
67 |
68 | # https://docs.docker.com/compose/extends/
69 | docker-compose.override.yml
70 |
71 | # env config
72 | .env
73 |
74 | *.tar
75 | data/
76 | .vscode/tags
77 |
--------------------------------------------------------------------------------
/sentry-docker-10x/.gitignore:
--------------------------------------------------------------------------------
1 | # Byte-compiled / optimized / DLL files
2 | __pycache__/
3 | *.py[cod]
4 | *$py.class
5 |
6 | # C extensions
7 | *.so
8 |
9 | # Distribution / packaging
10 | .Python
11 | env/
12 | build/
13 | develop-eggs/
14 | dist/
15 | downloads/
16 | eggs/
17 | .eggs/
18 | lib/
19 | lib64/
20 | parts/
21 | sdist/
22 | var/
23 | *.egg-info/
24 | .installed.cfg
25 | *.egg
26 |
27 | # PyInstaller
28 | # Usually these files are written by a python script from a template
29 | # before PyInstaller builds the exe, so as to inject date/other infos into it.
30 | *.manifest
31 | *.spec
32 |
33 | # Installer logs
34 | pip-log.txt
35 | pip-delete-this-directory.txt
36 |
37 | # Unit test / coverage reports
38 | htmlcov/
39 | .tox/
40 | .coverage
41 | .coverage.*
42 | .cache
43 | nosetests.xml
44 | coverage.xml
45 | *.cover
46 | .hypothesis/
47 |
48 | # Translations
49 | *.mo
50 | *.pot
51 |
52 | # Django stuff:
53 | *.log
54 | local_settings.py
55 |
56 | # Sphinx documentation
57 | docs/_build/
58 |
59 | # PyBuilder
60 | target/
61 |
62 | # Ipython Notebook
63 | .ipynb_checkpoints
64 |
65 | # pyenv
66 | .python-version
67 |
68 | # https://docs.docker.com/compose/extends/
69 | docker-compose.override.yml
70 |
71 | *.tar
72 | data/
73 | .vscode/tags
74 |
75 | # custom Sentry config
76 | sentry/sentry.conf.py
77 | sentry/config.yml
78 | sentry/*.whl
79 | sentry.env
--------------------------------------------------------------------------------
/sentry-docker-10x/proxy.crt:
--------------------------------------------------------------------------------
1 | -----BEGIN CERTIFICATE-----
2 | MIIDjzCCAncCFFH2al+VcWXjSxcrWS4o3DXcfwDeMA0GCSqGSIb3DQEBCwUAMIGD
3 | MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2Fu
4 | IEZyYW5jaXNjbzEYMBYGA1UECgwPR2xvYmFsIFNlY3VyaXR5MRYwFAYDVQQLDA1J
5 | VCBEZXBhcnRtZW50MRUwEwYDVQQDDAxzZWN1cmVzZW50cnkwHhcNMjAwMTExMDAx
6 | NzI0WhcNMjEwMTEwMDAxNzI0WjCBgzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNh
7 | bGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xGDAWBgNVBAoMD0dsb2Jh
8 | bCBTZWN1cml0eTEWMBQGA1UECwwNSVQgRGVwYXJ0bWVudDEVMBMGA1UEAwwMc2Vj
9 | dXJlc2VudHJ5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApBRb9skL
10 | 5j7fef5K/t1otKErHZG9Op5uuJavR+mynDoQBw8/3TVKEYuV4P6rltViKL17Qdpt
11 | qdkN7Z5wwzXcjPpCXEkWRJ5ibtW2hrTWKqbTp6XaVL+ntFN9KU8klBG9RvzPo8rH
12 | s/iYr6x/J/0RhV5TjschBavLant+/Uic7tRyTyB7hOEHQPgyb+fbTCfvXrTe/kqR
13 | jg1mI5Hn1Vy4STHBxpCntFnsWa/bOWCwPm8I9FaNwwodpf1AyvGNy8PgdO0LLWza
14 | 1SDeMdDmwDOC+Vla5xRCRXzthXvIdjwbZoW/+rmNL78fyVmJ0wXYtFd3wbTH4H83
15 | iqBLHvHSjAfpswIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBClRB3M+Mp7H3kA3I3
16 | xsel6fck8rWDOJuu8cVvEZw+SCicc480JlRxzHMeGDV+1Xr9EQYo3zi2syklsOde
17 | zBfybCRdxLrFcRkodieY5a85KzDmK77JD3P94FwsfjmbJ8kpppi9nTheBl+yFiTI
18 | ++B33A63pMvJjFjyToZI+g6TXvrhbNXAs/pjYssUMYVzQlkBogWYvA9CHdHI0dRZ
19 | PWhCJADHYjuso5mXOnAoiCZvwusidc2eEyQLFZwpzy+Nj1TJM80MCn+pgMH0vd9b
20 | 7rI0+Rw7Oj7cUvdj5+jlHT9wXoMEI88F9KfWinugHF8ffeFKTM+NcKyXKXv61D3A
21 | aPFv
22 | -----END CERTIFICATE-----
23 |
--------------------------------------------------------------------------------
/sentry-docker-9x/proxy.crt:
--------------------------------------------------------------------------------
1 | -----BEGIN CERTIFICATE-----
2 | MIIDjzCCAncCFFH2al+VcWXjSxcrWS4o3DXcfwDeMA0GCSqGSIb3DQEBCwUAMIGD
3 | MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2Fu
4 | IEZyYW5jaXNjbzEYMBYGA1UECgwPR2xvYmFsIFNlY3VyaXR5MRYwFAYDVQQLDA1J
5 | VCBEZXBhcnRtZW50MRUwEwYDVQQDDAxzZWN1cmVzZW50cnkwHhcNMjAwMTExMDAx
6 | NzI0WhcNMjEwMTEwMDAxNzI0WjCBgzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNh
7 | bGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xGDAWBgNVBAoMD0dsb2Jh
8 | bCBTZWN1cml0eTEWMBQGA1UECwwNSVQgRGVwYXJ0bWVudDEVMBMGA1UEAwwMc2Vj
9 | dXJlc2VudHJ5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApBRb9skL
10 | 5j7fef5K/t1otKErHZG9Op5uuJavR+mynDoQBw8/3TVKEYuV4P6rltViKL17Qdpt
11 | qdkN7Z5wwzXcjPpCXEkWRJ5ibtW2hrTWKqbTp6XaVL+ntFN9KU8klBG9RvzPo8rH
12 | s/iYr6x/J/0RhV5TjschBavLant+/Uic7tRyTyB7hOEHQPgyb+fbTCfvXrTe/kqR
13 | jg1mI5Hn1Vy4STHBxpCntFnsWa/bOWCwPm8I9FaNwwodpf1AyvGNy8PgdO0LLWza
14 | 1SDeMdDmwDOC+Vla5xRCRXzthXvIdjwbZoW/+rmNL78fyVmJ0wXYtFd3wbTH4H83
15 | iqBLHvHSjAfpswIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBClRB3M+Mp7H3kA3I3
16 | xsel6fck8rWDOJuu8cVvEZw+SCicc480JlRxzHMeGDV+1Xr9EQYo3zi2syklsOde
17 | zBfybCRdxLrFcRkodieY5a85KzDmK77JD3P94FwsfjmbJ8kpppi9nTheBl+yFiTI
18 | ++B33A63pMvJjFjyToZI+g6TXvrhbNXAs/pjYssUMYVzQlkBogWYvA9CHdHI0dRZ
19 | PWhCJADHYjuso5mXOnAoiCZvwusidc2eEyQLFZwpzy+Nj1TJM80MCn+pgMH0vd9b
20 | 7rI0+Rw7Oj7cUvdj5+jlHT9wXoMEI88F9KfWinugHF8ffeFKTM+NcKyXKXv61D3A
21 | aPFv
22 | -----END CERTIFICATE-----
23 |
--------------------------------------------------------------------------------
/test/README.md:
--------------------------------------------------------------------------------
1 | # Cloudflare Access for Sentry Test Suite
2 |
3 | Here you find an E2E test suite for the plugin.
4 |
5 | ## Running the tests
6 |
7 | Prerequisites:
8 |
9 | - Docker
10 |
11 | ## Docker compose services architecture:
12 |
13 | - `cloudflare_mock_server`: Simulates Cloudflare Access behavior by generating a signed JWT and provides the certificates for Sentry to validate.
14 | - `selenium_server`: The Selenium server that will host the browser
15 | - `securesentry`: Nginx Proxy that to make the Cloudflare Access Mock Server and Sentry run under the same domain (allows for cookie auth)
16 | - `selenium_test`: The actual test suite
17 |
18 | ### Securesentry - SSL Proxy
19 |
20 | This is an SSL proxy with a self-signed certificate.
21 |
22 | In case the certificate becomes invalid, the existing ones should be deleted and created new.
23 |
24 | **When updated, the `proxy.crt` file should be updated on the sentry-docker docker-compose projects.**
25 |
26 | On Sentry docker images the `proxy.crt` is used together with the environment variable `REQUESTS_CA_BUNDLE` to enable usage of a self signed certificate while executing the e2e test suite.
27 |
28 | To setup new SSL certificates:
29 |
30 | ```
31 | cd nginx_ssl_proxy
32 | rm proxy.crt proxy.csr proxy.key
33 | ./gen_ssl.sh
34 | cp proxy.crt ../sentry-docker-9x/proxy.crt
35 | cp proxy.crt ../sentry-docker-10x/proxy.crt
36 | ```
--------------------------------------------------------------------------------
/test/nginx_ssl_proxy/proxy.crt:
--------------------------------------------------------------------------------
1 | -----BEGIN CERTIFICATE-----
2 | MIIDjzCCAncCFFH2al+VcWXjSxcrWS4o3DXcfwDeMA0GCSqGSIb3DQEBCwUAMIGD
3 | MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2Fu
4 | IEZyYW5jaXNjbzEYMBYGA1UECgwPR2xvYmFsIFNlY3VyaXR5MRYwFAYDVQQLDA1J
5 | VCBEZXBhcnRtZW50MRUwEwYDVQQDDAxzZWN1cmVzZW50cnkwHhcNMjAwMTExMDAx
6 | NzI0WhcNMjEwMTEwMDAxNzI0WjCBgzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNh
7 | bGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xGDAWBgNVBAoMD0dsb2Jh
8 | bCBTZWN1cml0eTEWMBQGA1UECwwNSVQgRGVwYXJ0bWVudDEVMBMGA1UEAwwMc2Vj
9 | dXJlc2VudHJ5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApBRb9skL
10 | 5j7fef5K/t1otKErHZG9Op5uuJavR+mynDoQBw8/3TVKEYuV4P6rltViKL17Qdpt
11 | qdkN7Z5wwzXcjPpCXEkWRJ5ibtW2hrTWKqbTp6XaVL+ntFN9KU8klBG9RvzPo8rH
12 | s/iYr6x/J/0RhV5TjschBavLant+/Uic7tRyTyB7hOEHQPgyb+fbTCfvXrTe/kqR
13 | jg1mI5Hn1Vy4STHBxpCntFnsWa/bOWCwPm8I9FaNwwodpf1AyvGNy8PgdO0LLWza
14 | 1SDeMdDmwDOC+Vla5xRCRXzthXvIdjwbZoW/+rmNL78fyVmJ0wXYtFd3wbTH4H83
15 | iqBLHvHSjAfpswIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBClRB3M+Mp7H3kA3I3
16 | xsel6fck8rWDOJuu8cVvEZw+SCicc480JlRxzHMeGDV+1Xr9EQYo3zi2syklsOde
17 | zBfybCRdxLrFcRkodieY5a85KzDmK77JD3P94FwsfjmbJ8kpppi9nTheBl+yFiTI
18 | ++B33A63pMvJjFjyToZI+g6TXvrhbNXAs/pjYssUMYVzQlkBogWYvA9CHdHI0dRZ
19 | PWhCJADHYjuso5mXOnAoiCZvwusidc2eEyQLFZwpzy+Nj1TJM80MCn+pgMH0vd9b
20 | 7rI0+Rw7Oj7cUvdj5+jlHT9wXoMEI88F9KfWinugHF8ffeFKTM+NcKyXKXv61D3A
21 | aPFv
22 | -----END CERTIFICATE-----
23 |
--------------------------------------------------------------------------------
/src/setup.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | """
3 | sentry-cloudflare-access-auth
4 | ==============
5 | An extension for Sentry which authenticates users previously
6 | authenticated through Cloudflare Access.
7 | """
8 |
9 | import setuptools
10 |
11 | with open("README.md", "r") as fh:
12 | long_description = fh.read()
13 |
14 | with open("../VERSION", "r") as fh:
15 | version = fh.read()
16 |
17 | install_requires = [
18 | "sentry>=8.0.0",
19 | "PyJWT==1.7.*",
20 | "requests==2.16.*"
21 | ]
22 |
23 | setuptools.setup(
24 | name="sentry-cloudflare-access-auth", # Replace with your own username
25 | version=version,
26 | author="Felipe Nascimento",
27 | author_email="felipe.nascimento1@gmail.com",
28 | description="An extension for Sentry which authenticates users previously authenticated through Cloudflare Access.",
29 | long_description=long_description,
30 | long_description_content_type="text/markdown",
31 | url="https://github.com/cloudflare/cloudflare-access-for-sentry",
32 | packages=setuptools.find_packages(),
33 | package_data={'': ['templates/*.html']},
34 | include_package_data=True,
35 | classifiers=[
36 | "Programming Language :: Python :: 2",
37 | "Programming Language :: Python :: 2 :: Only",
38 | "Programming Language :: Python :: 2.7",
39 | "Framework :: Django",
40 | "Intended Audience :: Developers",
41 | "Intended Audience :: System Administrators",
42 | "License :: Freeware",
43 | "Operating System :: OS Independent",
44 | ],
45 | python_requires=">=2.6",
46 | )
--------------------------------------------------------------------------------
/sentry-docker-9x/docker-compose.yml:
--------------------------------------------------------------------------------
1 | # NOTE: This docker-compose.yml is meant to be just an example of how
2 | # you could accomplish this on your own. It is not intended to work in
3 | # all use-cases and must be adapted to fit your needs. This is merely
4 | # a guideline.
5 |
6 | # See docs.getsentry.com/on-premise/server/ for full
7 | # instructions
8 |
9 | version: '3.4'
10 |
11 | x-defaults: &defaults
12 | restart: unless-stopped
13 | build:
14 | context: .
15 | args:
16 | SENTRY_IMAGE: ${SENTRY_IMAGE}
17 | depends_on:
18 | - redis
19 | - postgres
20 | - memcached
21 | - smtp
22 | env_file: .env
23 | environment:
24 | SENTRY_MEMCACHED_HOST: memcached
25 | SENTRY_REDIS_HOST: redis
26 | SENTRY_POSTGRES_HOST: postgres
27 | SENTRY_EMAIL_HOST: smtp
28 | volumes:
29 | - sentry-data:/var/lib/sentry/files
30 |
31 |
32 | services:
33 | smtp:
34 | restart: unless-stopped
35 | image: tianon/exim4
36 |
37 | memcached:
38 | restart: unless-stopped
39 | image: memcached:1.5-alpine
40 |
41 | redis:
42 | restart: unless-stopped
43 | image: redis:3.2-alpine
44 |
45 | postgres:
46 | restart: unless-stopped
47 | image: postgres:9.5
48 | volumes:
49 | - sentry-postgres:/var/lib/postgresql/data
50 |
51 | web:
52 | <<: *defaults
53 | ports:
54 | - '9000:9000'
55 |
56 | cron:
57 | <<: *defaults
58 | command: run cron
59 |
60 | worker:
61 | <<: *defaults
62 | command: run worker
63 |
64 |
65 | volumes:
66 | sentry-data:
67 | external: true
68 | sentry-postgres:
69 | external: true
70 |
--------------------------------------------------------------------------------
/test/nginx_ssl_proxy/proxy.key:
--------------------------------------------------------------------------------
1 | -----BEGIN PRIVATE KEY-----
2 | MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCkFFv2yQvmPt95
3 | /kr+3Wi0oSsdkb06nm64lq9H6bKcOhAHDz/dNUoRi5Xg/quW1WIovXtB2m2p2Q3t
4 | nnDDNdyM+kJcSRZEnmJu1baGtNYqptOnpdpUv6e0U30pTySUEb1G/M+jysez+Jiv
5 | rH8n/RGFXlOOxyEFq8tqe379SJzu1HJPIHuE4QdA+DJv59tMJ+9etN7+SpGODWYj
6 | kefVXLhJMcHGkKe0WexZr9s5YLA+bwj0Vo3DCh2l/UDK8Y3Lw+B07QstbNrVIN4x
7 | 0ObAM4L5WVrnFEJFfO2Fe8h2PBtmhb/6uY0vvx/JWYnTBdi0V3fBtMfgfzeKoEse
8 | 8dKMB+mzAgMBAAECggEBAIJtrK0AI/VjBUJ0Yik214S+mQdoUoPGbT1OiwcfPlvx
9 | y8vQ03OEaNyJmRrBVqUP+ndoKBKxD3t0jx3UVM7YgfmO9jFl582kGZsBR5bNKXG+
10 | K4GY1XWI5Eb0Fwo/X1RUxaEoVeZdy2HEu5rqBCpFgSgDU2ir4hQf/BMpGEk+74Dp
11 | GcvYfSQxudSjgaQxwf7h8BbhG3HYgy3OUTJ3aiP8qURSwob01urUhXuSlcvWtDqS
12 | bnltp1K2JVtVzbu0DRbcaAncsoMXEBE8qhxQUzreNZLslUBhGkTqhPbUI7tFy3ze
13 | Tmv9OZKrSNkMdP9YM4YqHR5LHga0MtdHnaesG264iAECgYEA1kRG0SKIWIj26f7V
14 | NbE/Gz/EuNSXn8SX77470TMxOM7D1e0rybBbhb3SczkLRyge2bE1uRKBLedRXWO3
15 | f3QHMf5p3Qj4TQgIXaU+0YEqduhWdS2xXxkZIbIR98vzcCkAdTic1JFmONY1mkeQ
16 | cGyByf1oBh1rkXpTtkjObmnRvmsCgYEAxAmo391mDuxhuU7ayxsMIse89BCZNa/m
17 | DpuzqvDq9gnb9hnofpFNuyEX0TVDzGIS+HtI7OdtTL/0BUhlulGOxTutp7I+/tJh
18 | LHSyPhNkU9g78DIzRHr9iU2hCTLivSdM8ROCbvLEApqphxLxEaUYLbm5RrTVuYGL
19 | iPe9yygWw9kCgYAftBCKZ0KnXvSx4MvpWuWMgZ34/zPEJxGYHpy5Moro7ecaIzKk
20 | cBzKqDCYbetWRwBxk3/wd2V3xk9KszN2f1OFOTCuzOH4e+TI/mdSFnuTBoOsaOti
21 | t9L5ImD4Okw130s7DPpflXf7lu5teoNLrzJxEbavmPDOoLv8L7+jpLKtKwKBgDhJ
22 | UbydNA1634A2XOnOJUjjMqSdE3Bvxc1R9V9SdxQXtplNzQxyKfBdyxndgk7vpeTE
23 | eSbUN/S+dJEDvXmmqyiEPxMUQbQmsZHzG65pIPhV8LfBoii6a4t9x4v9mU6YNyZM
24 | 5Ll4aMEaqSxISwE29t9CISllCKyPvoGgKFVpeEfZAoGADRibHW/pzh/dmHPVro8R
25 | lwvJuz5SHLyln1okyJ9ZtjYLud4XRjo8RuQJdR+Cvntc0Gbq4Fmg5TEb16Wq4l8R
26 | sacVmiUyQtMBAm/fsdxnAuB20mpsKTrA+U0lPaqpUdqO4He2/JgeWU3phk89dWXg
27 | OwaLkDw++5HNxMGlLM8a9g4=
28 | -----END PRIVATE KEY-----
29 |
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | # Byte-compiled / optimized / DLL files
2 | __pycache__/
3 | *.py[cod]
4 | *$py.class
5 |
6 | # C extensions
7 | *.so
8 |
9 | # Distribution / packaging
10 | .Python
11 | build/
12 | develop-eggs/
13 | dist/
14 | downloads/
15 | eggs/
16 | .eggs/
17 | lib/
18 | lib64/
19 | parts/
20 | sdist/
21 | var/
22 | wheels/
23 | *.egg-info/
24 | .installed.cfg
25 | *.egg
26 | MANIFEST
27 |
28 | # PyInstaller
29 | # Usually these files are written by a python script from a template
30 | # before PyInstaller builds the exe, so as to inject date/other infos into it.
31 | *.manifest
32 | *.spec
33 |
34 | # Installer logs
35 | pip-log.txt
36 | pip-delete-this-directory.txt
37 |
38 | # Unit test / coverage reports
39 | htmlcov/
40 | .tox/
41 | .coverage
42 | .coverage.*
43 | .cache
44 | nosetests.xml
45 | coverage.xml
46 | *.cover
47 | .hypothesis/
48 | .pytest_cache/
49 |
50 | # Translations
51 | *.mo
52 | *.pot
53 |
54 | # Django stuff:
55 | *.log
56 | local_settings.py
57 | db.sqlite3
58 |
59 | # Flask stuff:
60 | instance/
61 | .webassets-cache
62 |
63 | # Scrapy stuff:
64 | .scrapy
65 |
66 | # Sphinx documentation
67 | docs/_build/
68 |
69 | # PyBuilder
70 | target/
71 |
72 | # Jupyter Notebook
73 | .ipynb_checkpoints
74 |
75 | # pyenv
76 | .python-version
77 |
78 | # celery beat schedule file
79 | celerybeat-schedule
80 |
81 | # SageMath parsed files
82 | *.sage.py
83 |
84 | # Environments
85 | .env
86 | .venv
87 | env/
88 | venv/
89 | ENV/
90 | env.bak/
91 | venv.bak/
92 |
93 | # Spyder project settings
94 | .spyderproject
95 | .spyproject
96 |
97 | # Rope project settings
98 | .ropeproject
99 |
100 | # mkdocs documentation
101 | /site
102 |
103 | # mypy
104 | .mypy_cache/
105 |
106 |
107 | # extras
108 | .vscode/
109 | *.whl
110 |
--------------------------------------------------------------------------------
/src/sentry_cloudflare_access_auth/helper.py:
--------------------------------------------------------------------------------
1 | from __future__ import absolute_import
2 |
3 | import os
4 |
5 | def setup_cloudflare_access_for_sentry_10x(MIDDLEWARE_CLASSES, AUTHENTICATION_BACKENDS, TEMPLATES):
6 | MIDDLEWARE_CLASSES = setup_cloudflare_access_middleware(MIDDLEWARE_CLASSES)
7 |
8 | AUTHENTICATION_BACKENDS = (
9 | 'sentry_cloudflare_access_auth.backend.CloudflareAccessBackend',
10 | ) + AUTHENTICATION_BACKENDS
11 |
12 | TEMPLATES[0]['DIRS'] += [os.path.join(get_cloudflare_access_os_root(), "templates")]
13 |
14 | return MIDDLEWARE_CLASSES, AUTHENTICATION_BACKENDS, TEMPLATES
15 |
16 |
17 | def setup_cloudflare_access_for_sentry_9x(MIDDLEWARE_CLASSES, AUTHENTICATION_BACKENDS, TEMPLATE_DIRS):
18 | MIDDLEWARE_CLASSES = setup_cloudflare_access_middleware(MIDDLEWARE_CLASSES)
19 |
20 | AUTHENTICATION_BACKENDS = (
21 | 'sentry_cloudflare_access_auth.backend.CloudflareAccessBackend',
22 | ) + AUTHENTICATION_BACKENDS
23 |
24 | TEMPLATE_DIRS += (os.path.join(get_cloudflare_access_os_root(), "templates"),)
25 |
26 | return MIDDLEWARE_CLASSES, AUTHENTICATION_BACKENDS, TEMPLATE_DIRS
27 |
28 |
29 |
30 | def setup_cloudflare_access_middleware(MIDDLEWARE_CLASSES):
31 | """
32 | Includes the Cloudflare Access Middleware right after the Authetication Middleware
33 | """
34 | updated_tuple = ()
35 | for middleware in MIDDLEWARE_CLASSES:
36 | updated_tuple = updated_tuple + (middleware,)
37 | if middleware.split(".")[-1] == 'AuthenticationMiddleware':
38 | updated_tuple = updated_tuple + ("sentry_cloudflare_access_auth.middleware.CloudflareAccessAuthMiddleware",)
39 | return updated_tuple
40 |
41 | def get_cloudflare_access_os_root():
42 | return os.path.normpath(os.path.join(os.path.dirname(__file__), os.pardir, 'sentry_cloudflare_access_auth'))
--------------------------------------------------------------------------------
/src/README.md:
--------------------------------------------------------------------------------
1 | # Cloudflare Access for Sentry
2 |
3 | Cloudflare Access for Sentry plugin to enable seamless authentication through Cloudflare Access JWT .
4 |
5 | ## Install on your On-Premise Sentry instance
6 |
7 | To enable this plugin on your On-Premise installation of Sentry add the following to your `sentry.conf.py`:
8 |
9 | ### For Sentry 9.x
10 |
11 | ```
12 | ####################################################
13 | # Cloudflare Access Plugin Setup and Configuration #
14 | ####################################################
15 | from sentry_cloudflare_access_auth.helper import setup_cloudflare_access_for_sentry_9x
16 | MIDDLEWARE_CLASSES, AUTHENTICATION_BACKENDS, TEMPLATE_DIRS = setup_cloudflare_access_for_sentry_9x(MIDDLEWARE_CLASSES, AUTHENTICATION_BACKENDS, TEMPLATE_DIRS)
17 |
18 | CLOUDFLARE_ACCESS_POLICY_AUD = os.getenv("CF_POLICY_AUD")
19 | CLOUDFLARE_ACCESS_AUTH_DOMAIN = os.getenv("CF_AUTH_DOMAIN")
20 |
21 | # Emails that match this domain will authorize with their Access JWT.
22 | # All other emails will be required authorize again with their Sentry credentials.
23 | #CLOUDFLARE_ACCESS_ALLOWED_DOMAIN = None
24 | ```
25 |
26 | ### For Sentry 10.x
27 |
28 | ```
29 | ####################################################
30 | # Cloudflare Access Plugin Setup and Configuration #
31 | ####################################################
32 | from sentry_cloudflare_access_auth.helper import setup_cloudflare_access_for_sentry_10x
33 | MIDDLEWARE_CLASSES, AUTHENTICATION_BACKENDS, TEMPLATES = setup_cloudflare_access_for_sentry_10x(MIDDLEWARE_CLASSES, AUTHENTICATION_BACKENDS, TEMPLATES)
34 |
35 | CLOUDFLARE_ACCESS_POLICY_AUD = os.getenv("CF_POLICY_AUD")
36 | CLOUDFLARE_ACCESS_AUTH_DOMAIN = os.getenv("CF_AUTH_DOMAIN")
37 |
38 | # Emails that match this domain will authorize with their Access JWT.
39 | # All other emails will be required authorize again with their Sentry credentials.
40 | #CLOUDFLARE_ACCESS_ALLOWED_DOMAIN = None
41 | ```
--------------------------------------------------------------------------------
/test/selenium_test/test.py:
--------------------------------------------------------------------------------
1 | import unittest
2 | import time
3 | from selenium import webdriver
4 | from selenium.webdriver.common.desired_capabilities import DesiredCapabilities
5 | from selenium.webdriver.common.keys import Keys
6 |
7 | def std_wait_for_action():
8 | time.sleep(2)
9 |
10 | class SentryPluginEndToEndTest(unittest.TestCase):
11 |
12 | def setUp(self):
13 | firefox_options = webdriver.FirefoxOptions()
14 | self.driver = webdriver.Remote(
15 | command_executor='http://selenium_server:4444/wd/hub',
16 | options=firefox_options
17 | )
18 | self.driver.implicitly_wait(10) # 10 seconds
19 | self.user_email = "user@testcompany.com"
20 | self.driver.get("http://securesentry/cdn-cgi/access/auth?email={0}".format(self.user_email))
21 |
22 | def test_login(self):
23 | std_wait_for_action()
24 | driver = self.driver
25 |
26 | driver.get("http://securesentry/")
27 |
28 | sidebar_dropdown = driver.find_element_by_css_selector('[data-test-id="sidebar-dropdown"]')
29 | assert self.user_email in sidebar_dropdown.text
30 |
31 |
32 | def test_logout(self):
33 | std_wait_for_action()
34 | driver = self.driver
35 |
36 | driver.get("http://securesentry/")
37 |
38 | std_wait_for_action()
39 | sidebar_dropdown = driver.find_element_by_css_selector('[data-test-id="sidebar-dropdown"]')
40 | sidebar_dropdown.click()
41 |
42 | std_wait_for_action()
43 | signout_elm = driver.find_element_by_css_selector('[data-test-id="sidebarSignout"]')
44 | signout_elm.click()
45 |
46 | # Assertion on the mock server result
47 | assert "Logout succesful" in driver.page_source
48 |
49 | #TODO test logout
50 |
51 | def tearDown(self):
52 | self.driver.close()
53 |
54 | if __name__ == "__main__":
55 | unittest.main()
--------------------------------------------------------------------------------
/sentry-docker-9x/config.yml:
--------------------------------------------------------------------------------
1 | # While a lot of configuration in Sentry can be changed via the UI, for all
2 | # new-style config (as of 8.0) you can also declare values here in this file
3 | # to enforce defaults or to ensure they cannot be changed via the UI. For more
4 | # information see the Sentry documentation.
5 |
6 | ###############
7 | # Mail Server #
8 | ###############
9 |
10 | # mail.backend: 'smtp' # Use dummy if you want to disable email entirely
11 | # mail.host: 'localhost'
12 | # mail.port: 25
13 | # mail.username: ''
14 | # mail.password: ''
15 | # mail.use-tls: false
16 | # The email address to send on behalf of
17 | # mail.from: 'root@localhost'
18 |
19 | # If you'd like to configure email replies, enable this.
20 | # mail.enable-replies: false
21 |
22 | # When email-replies are enabled, this value is used in the Reply-To header
23 | # mail.reply-hostname: ''
24 |
25 | # If you're using mailgun for inbound mail, set your API key and configure a
26 | # route to forward to /api/hooks/mailgun/inbound/
27 | # mail.mailgun-api-key: ''
28 |
29 | ###################
30 | # System Settings #
31 | ###################
32 |
33 | # If this file ever becomes compromised, it's important to regenerate your a new key
34 | # Changing this value will result in all current sessions being invalidated.
35 | # A new key can be generated with `$ sentry config generate-secret-key`
36 | # system.secret-key: 'changeme'
37 |
38 | # The ``redis.clusters`` setting is used, unsurprisingly, to configure Redis
39 | # clusters. These clusters can be then referred to by name when configuring
40 | # backends such as the cache, digests, or TSDB backend.
41 | # redis.clusters:
42 | # default:
43 | # hosts:
44 | # 0:
45 | # host: 127.0.0.1
46 | # port: 6379
47 |
48 | ################
49 | # File storage #
50 | ################
51 |
52 | # Uploaded media uses these `filestore` settings. The available
53 | # backends are either `filesystem` or `s3`.
54 |
55 | # filestore.backend: 'filesystem'
56 | # filestore.options:
57 | # location: '/tmp/sentry-files'
58 |
59 | # filestore.backend: 's3'
60 | # filestore.options:
61 | # access_key: 'AKIXXXXXX'
62 | # secret_key: 'XXXXXXX'
63 | # bucket_name: 's3-bucket-name'
64 |
--------------------------------------------------------------------------------
/test/mock_server/cloudflare_access_mockserver.py:
--------------------------------------------------------------------------------
1 | import os
2 | import json
3 | import random
4 | import python_jwt as jwt, jwcrypto.jwk as jwk, datetime
5 |
6 | from flask import Flask
7 | from flask_restful import Resource, Api, reqparse
8 |
9 | app = Flask(__name__)
10 | api = Api(app)
11 |
12 | class CloudflareAccessCertificates(Resource):
13 | """
14 | Mock endpoint to return the signing certificates
15 | """
16 | def get(self):
17 | response = {'keys':[self._get_cert_as_json(1), self._get_cert_as_json(2)]}
18 | print(response)
19 | return response
20 |
21 | def _get_cert_as_json(self, index):
22 | with open('cert_0%d.key' % index, 'rb') as fh:
23 | jwk_obj = jwk.JWK.from_pem(fh.read())
24 | jwk_json = jwk_obj.export_public()
25 | return json.loads(jwk_json)
26 |
27 |
28 | class Authenticate(Resource):
29 | """
30 | Signs a JWT with one of the certificates and sets the auth cookie.
31 | """
32 |
33 | def get(self):
34 | parser = reqparse.RequestParser()
35 | parser.add_argument('email')
36 | args = parser.parse_args()
37 | payload = self._create_payload(args['email'])
38 | return {'success': True}, 200, {'Set-Cookie': 'CF_Authorization=%s;path=/' % self._sign_payload(payload)}
39 |
40 | def _sign_payload(self, payload):
41 | rand_cert = random.randint(1,2)
42 | with open('cert_0%d.key' % rand_cert, 'rb') as fh:
43 | signing_key = jwk.JWK.from_pem(fh.read())
44 | token = jwt.generate_jwt(payload, signing_key, 'RS256', datetime.timedelta(minutes=60))
45 | return token
46 |
47 |
48 | def _create_payload(self, email):
49 | return {
50 | "aud": [
51 | "f73c7a6712258428dd625be8da1f6660b74d9a10d8877f579f8429490baa3a64"
52 | ],
53 | "email": email,
54 | "iss": "securesentry",
55 | }
56 |
57 | class Logout(Resource):
58 | def get(self):
59 | return "Logout succesful"
60 |
61 | api.add_resource(CloudflareAccessCertificates, '/cdn-cgi/access/certs')
62 | api.add_resource(Authenticate, '/cdn-cgi/access/auth')
63 | api.add_resource(Logout, '/cdn-cgi/access/logout')
64 |
65 |
66 | if __name__ == '__main__':
67 | app.run(ssl_context='adhoc', debug=True, host='0.0.0.0')
--------------------------------------------------------------------------------
/sentry-docker-9x/README.md:
--------------------------------------------------------------------------------
1 | # Sentry On-Premise [![Build Status][build-status-image]][build-status-url]
2 |
3 | Official bootstrap for running your own [Sentry](https://sentry.io/) with [Docker](https://www.docker.com/).
4 |
5 | ## Requirements
6 |
7 | * Docker 17.05.0+
8 | * Compose 1.17.0+
9 |
10 | ## Minimum Hardware Requirements:
11 |
12 | * You need at least 3GB RAM
13 |
14 | ## Setup
15 |
16 | To get started with all the defaults, simply clone the repo and run `./install.sh` in your local check-out.
17 |
18 | There may need to be modifications to the included `docker-compose.yml` file to accommodate your needs or your environment (such as adding GitHub credentials). If you want to perform these, do them before you run the install script.
19 |
20 | The recommended way to customize your configuration is using the files below, in that order:
21 |
22 | * `config.yml`
23 | * `sentry.conf.py`
24 | * `.env` w/ environment variables
25 |
26 | If you have any issues or questions, our [Community Forum](https://forum.sentry.io/c/on-premise) is at your service!
27 |
28 | ## Securing Sentry with SSL/TLS
29 |
30 | If you'd like to protect your Sentry install with SSL/TLS, there are
31 | fantastic SSL/TLS proxies like [HAProxy](http://www.haproxy.org/)
32 | and [Nginx](http://nginx.org/). You'll likely to add this service to your `docker-compose.yml` file.
33 |
34 | ## Updating Sentry
35 |
36 | Updating Sentry using Compose is relatively simple. Just use the following steps to update. Make sure that you have the latest version set in your Dockerfile. Or use the latest version of this repository.
37 |
38 | Use the following steps after updating this repository or your Dockerfile:
39 | ```sh
40 | docker-compose build --pull # Build the services again after updating, and make sure we're up to date on patch version
41 | docker-compose run --rm web upgrade # Run new migrations
42 | docker-compose up -d # Recreate the services
43 | ```
44 |
45 | ## Resources
46 |
47 | * [Documentation](https://docs.sentry.io/server/installation/docker/)
48 | * [Bug Tracker](https://github.com/getsentry/onpremise/issues)
49 | * [Forums](https://forum.sentry.io/c/on-premise)
50 | * [IRC](irc://chat.freenode.net/sentry) (chat.freenode.net, #sentry)
51 |
52 |
53 | [build-status-image]: https://api.travis-ci.com/getsentry/onpremise.svg?branch=master
54 | [build-status-url]: https://travis-ci.com/getsentry/onpremise
55 |
--------------------------------------------------------------------------------
/src/sentry_cloudflare_access_auth/backend.py:
--------------------------------------------------------------------------------
1 | from __future__ import absolute_import
2 |
3 | import logging
4 |
5 | from django.conf import settings
6 | from django.contrib.auth.backends import ModelBackend
7 | from sentry.utils.auth import find_users
8 |
9 | logger = logging.getLogger(__name__)
10 | #logger.setLevel('DEBUG')
11 |
12 | class CloudflareAccessBackend(ModelBackend):
13 | def authenticate(self, email=None, jwt_validated=False):
14 | """
15 | Authenticate a user by the e-mail and the flag indicating it was a valid token
16 | """
17 | logger.debug("TRYING TO AUTH WITH CloudflareAccessBackend ...")
18 |
19 | if email == None or jwt_validated == False:
20 | return None
21 |
22 | users = find_users(email)
23 |
24 | logger.debug("Users found: %s", [u.username for u in users])
25 |
26 | if len(users) == 0:
27 | logger.debug("User not found...")
28 | raise UserNotFoundException("User with email {0} not found".format(email))
29 |
30 | if len(users) > 1:
31 | logger.debug("More than one user matches '%s': %s", email, len(users))
32 | raise MultipleUsersMatchingEmailException("Found {0} users that match the email {1}!".format(len(users), email))
33 |
34 | if self._enforce_standard_auth(email):
35 | logger.debug("Enforcing standard auth...")
36 | return None
37 |
38 | user = users[0]
39 | logger.debug("Auth successful for user: %s", user.username)
40 |
41 | if not user.is_active:
42 | logger.debug("User is not active: %s", user.username)
43 | raise UserIsNotActiveException("User %s is not active!" % user.username)
44 |
45 | return user
46 |
47 |
48 |
49 | def user_can_authenticate(self, user):
50 | return True
51 |
52 |
53 |
54 | def _enforce_standard_auth(self, email):
55 | try:
56 | configured = settings.CLOUDFLARE_ACCESS_ALLOWED_DOMAIN != None
57 | except AttributeError:
58 | pass
59 | else:
60 | if configured:
61 | domain = email.split("@")[-1]
62 | if domain != settings.CLOUDFLARE_ACCESS_ALLOWED_DOMAIN:
63 | return True
64 |
65 | return False
66 |
67 |
68 | class MultipleUsersMatchingEmailException(Exception):
69 | pass
70 |
71 |
72 | class UserIsNotActiveException(Exception):
73 | pass
74 |
75 | class UserNotFoundException(Exception):
76 | pass
--------------------------------------------------------------------------------
/sentry-docker-10x/sentry/config.example.yml:
--------------------------------------------------------------------------------
1 | # While a lot of configuration in Sentry can be changed via the UI, for all
2 | # new-style config (as of 8.0) you can also declare values here in this file
3 | # to enforce defaults or to ensure they cannot be changed via the UI. For more
4 | # information see the Sentry documentation.
5 |
6 | ###############
7 | # Mail Server #
8 | ###############
9 |
10 | # mail.backend: 'smtp' # Use dummy if you want to disable email entirely
11 | mail.host: 'smtp'
12 | # mail.port: 25
13 | # mail.username: ''
14 | # mail.password: ''
15 | # mail.use-tls: false
16 | # The email address to send on behalf of
17 | # mail.from: 'root@localhost'
18 |
19 | # If you'd like to configure email replies, enable this.
20 | # mail.enable-replies: true
21 |
22 | # When email-replies are enabled, this value is used in the Reply-To header
23 | # mail.reply-hostname: ''
24 |
25 | # If you're using mailgun for inbound mail, set your API key and configure a
26 | # route to forward to /api/hooks/mailgun/inbound/
27 | # Also don't forget to set `mail.enable-replies: true` above.
28 | # mail.mailgun-api-key: ''
29 |
30 | ###################
31 | # System Settings #
32 | ###################
33 |
34 | # If this file ever becomes compromised, it's important to regenerate your a new key
35 | # Changing this value will result in all current sessions being invalidated.
36 | # A new key can be generated with `$ sentry config generate-secret-key`
37 | system.secret-key: '!!changeme!!'
38 |
39 | # The ``redis.clusters`` setting is used, unsurprisingly, to configure Redis
40 | # clusters. These clusters can be then referred to by name when configuring
41 | # backends such as the cache, digests, or TSDB backend.
42 | # redis.clusters:
43 | # default:
44 | # hosts:
45 | # 0:
46 | # host: 127.0.0.1
47 | # port: 6379
48 |
49 | ################
50 | # File storage #
51 | ################
52 |
53 | # Uploaded media uses these `filestore` settings. The available
54 | # backends are either `filesystem` or `s3`.
55 |
56 | filestore.backend: 'filesystem'
57 | filestore.options:
58 | location: '/data/files'
59 | dsym.cache-path: '/data/dsym-cache'
60 | releasefile.cache-path: '/data/releasefile-cache'
61 |
62 | # filestore.backend: 's3'
63 | # filestore.options:
64 | # access_key: 'AKIXXXXXX'
65 | # secret_key: 'XXXXXXX'
66 | # bucket_name: 's3-bucket-name'
67 |
68 | system.internal-url-prefix: 'http://web:9000'
69 | symbolicator.enabled: true
70 | symbolicator.options:
71 | url: "http://symbolicator:3021"
72 |
73 | transaction-events.force-disable-internal-project: true
74 |
--------------------------------------------------------------------------------
/sentry-docker-9x/install.sh:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bash
2 | set -e
3 |
4 | LATEST_STABLE_SENTRY_IMAGE='sentry:9.1.2'
5 |
6 | MIN_DOCKER_VERSION='17.05.0'
7 | MIN_COMPOSE_VERSION='1.17.0'
8 | MIN_RAM=3072 # MB
9 | ENV_FILE='.env'
10 |
11 | DID_CLEAN_UP=0
12 | # the cleanup function will be the exit point
13 | cleanup () {
14 | if [ "$DID_CLEAN_UP" -eq 1 ]; then
15 | return 0;
16 | fi
17 | echo "Cleaning up..."
18 | docker-compose down &> /dev/null
19 | DID_CLEAN_UP=1
20 | }
21 | trap cleanup ERR INT TERM
22 |
23 | echo "Checking minimum requirements..."
24 |
25 | DOCKER_VERSION=$(docker version --format '{{.Server.Version}}')
26 | COMPOSE_VERSION=$(docker-compose --version | sed 's/docker-compose version \(.\{1,\}\),.*/\1/')
27 | RAM_AVAILABLE_IN_DOCKER=$(docker run --rm busybox free -m 2>/dev/null | awk '/Mem/ {print $2}');
28 |
29 | # Function below is inspired by https://stackoverflow.com/a/29394504/90297
30 | function ver { printf "%03d%03d%03d%03d" $(echo "$1" | sed 's/^0*\([0-9]\+\)\.0*\([0-9]\+\)\.0*\([0-9]\+\).*/\1 \2 \3/' | head -n 3 ); }
31 |
32 | if [ $(ver $DOCKER_VERSION) -lt $(ver $MIN_DOCKER_VERSION) ]; then
33 | echo "FAIL: Expected minimum Docker version to be $MIN_DOCKER_VERSION but found $DOCKER_VERSION"
34 | exit -1
35 | fi
36 |
37 | if [ $(ver $COMPOSE_VERSION) -lt $(ver $MIN_COMPOSE_VERSION) ]; then
38 | echo "FAIL: Expected minimum docker-compose version to be $MIN_COMPOSE_VERSION but found $COMPOSE_VERSION"
39 | exit -1
40 | fi
41 |
42 | if [ "$RAM_AVAILABLE_IN_DOCKER" -lt "$MIN_RAM" ]; then
43 | echo "FAIL: Expected minimum RAM available to Docker to be $MIN_RAM MB but found $RAM_AVAILABLE_IN_DOCKER MB"
44 | exit -1
45 | fi
46 |
47 | echo ""
48 | echo "Creating volumes for persistent storage..."
49 | echo "Created $(docker volume create --name=sentry-data)."
50 | echo "Created $(docker volume create --name=sentry-postgres)."
51 | echo ""
52 |
53 | if [ -f "$ENV_FILE" ]; then
54 | echo "$ENV_FILE already exists, skipped creation."
55 | else
56 | echo "Creating $ENV_FILE..."
57 | cp -n .env.example "$ENV_FILE"
58 | fi
59 |
60 | if [ -z $SENTRY_IMAGE ]; then
61 | echo ""
62 | echo "\$SENTRY_IMAGE not set, using latest stable: $LATEST_STABLE_SENTRY_IMAGE";
63 | export SENTRY_IMAGE=$LATEST_STABLE_SENTRY_IMAGE
64 | fi
65 |
66 | echo ""
67 | echo "Building and tagging Docker images..."
68 | echo ""
69 | docker-compose build
70 | echo ""
71 | echo "Docker images built."
72 |
73 | echo ""
74 | echo "Generating secret key..."
75 | # This is to escape the secret key to be used in sed below
76 | SECRET_KEY=$(docker-compose run --rm web config generate-secret-key 2> /dev/null | tail -n1 | sed -e 's/[\/&]/\\&/g')
77 | sed -i -e 's/^SENTRY_SECRET_KEY=.*$/SENTRY_SECRET_KEY='"$SECRET_KEY"'/' $ENV_FILE
78 | echo "Secret key written to $ENV_FILE"
79 |
80 | echo ""
81 | echo "Setting up database..."
82 | if [ $CI ]; then
83 | docker-compose run --rm web upgrade --noinput
84 | echo ""
85 | echo "Did not prompt for user creation due to non-interactive shell."
86 | echo "Run the following command to create one yourself (recommended):"
87 | echo ""
88 | echo " docker-compose run --rm web createuser"
89 | echo ""
90 | else
91 | docker-compose run --rm web upgrade
92 | fi
93 |
94 | cleanup
95 |
96 | echo ""
97 | echo "----------------"
98 | echo "You're all done! Run the following command get Sentry running:"
99 | echo ""
100 | echo " docker-compose up -d"
101 | echo ""
102 |
--------------------------------------------------------------------------------
/sentry-docker-10x/README.md:
--------------------------------------------------------------------------------
1 | # Sentry 10 On-Premise BETA [![Build Status][build-status-image]][build-status-url]
2 |
3 | Official bootstrap for running your own [Sentry](https://sentry.io/) with [Docker](https://www.docker.com/).
4 |
5 | **NOTE:** If you are not installing Sentry from scratch, our recommendation is to visit [On-Premise Stable for Sentry 9.1.2](https://github.com/getsentry/onpremise/tree/stable) as this version may not be fully backward compatible. If you still want to try it out make sure you are on 9.1.2 first, back up your old Docker volumes just in case, and remember that if you haven't set up Redis persistency yourself some of your data (like your stats) may be lost during the upgrade.
6 |
7 | ## Requirements
8 |
9 | * Docker 17.05.0+
10 | * Compose 1.19.0+
11 |
12 | ## Minimum Hardware Requirements:
13 |
14 | * You need at least 2400MB RAM
15 |
16 | ## Setup
17 |
18 | To get started with all the defaults, simply clone the repo and run `./install.sh` in your local check-out.
19 |
20 | There may need to be modifications to the included example config files (`sentry/config.example.yml` and `sentry/sentry.conf.example.py`) to accommodate your needs or your environment (such as adding GitHub credentials). If you want to perform these, do them before you run the install script and copy them without the `.example` extensions in the name (such as `sentry/sentry.conf.py`) before running the `install.sh` script.
21 |
22 | The recommended way to customize your configuration is using the files below, in that order:
23 |
24 | * `config.yml`
25 | * `sentry.conf.py`
26 | * `.env` w/ environment variables
27 |
28 | We currently support a very minimal set of environment variables to promote other means of configuration.
29 |
30 | If you have any issues or questions, our [Community Forum](https://forum.sentry.io/c/on-premise) is at your service!
31 |
32 | ## Event Retention
33 |
34 | Sentry comes with a cleanup cron job that prunes events older than `90 days` by default. If you want to change that, you can change the `SENTRY_EVENT_RETENTION_DAYS` environment variable in `.env` or simply override it in your environment. If you do not want the cleanup cron, you can remove the `sentry-cleanup` service from the `docker-compose.yml`file.
35 |
36 | ## Securing Sentry with SSL/TLS
37 |
38 | If you'd like to protect your Sentry install with SSL/TLS, there are
39 | fantastic SSL/TLS proxies like [HAProxy](http://www.haproxy.org/)
40 | and [Nginx](http://nginx.org/). You'll likely want to add this service to your `docker-compose.yml` file.
41 |
42 | ## Updating Sentry
43 |
44 | Updating Sentry using Compose is relatively simple. Just use the following steps to update. Make sure that you have the latest version set in your Dockerfile. Or use the latest version of this repository.
45 |
46 | Use the following steps after updating this repository or your Dockerfile:
47 | ```sh
48 | docker-compose build --pull # Build the services again after updating, and make sure we're up to date on patch version
49 | docker-compose run --rm web upgrade # Run new migrations
50 | docker-compose up -d # Recreate the services
51 | ```
52 |
53 | ## Resources
54 |
55 | * [Documentation](https://docs.sentry.io/server/installation/docker/)
56 | * [Bug Tracker](https://github.com/getsentry/onpremise/issues)
57 | * [Forums](https://forum.sentry.io/c/on-premise)
58 | * [IRC](irc://chat.freenode.net/sentry) (chat.freenode.net, #sentry)
59 |
60 |
61 | [build-status-image]: https://api.travis-ci.com/getsentry/onpremise.svg?branch=master
62 | [build-status-url]: https://travis-ci.com/getsentry/onpremise
63 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # Cloudflare Access for Sentry
2 |
3 | Repository for Cloudflare Access for Sentry plugin development.
4 |
5 | ## Install on your On-Premise Sentry instance
6 |
7 | To enable this plugin on your On-Premise installation of Sentry you need to install via `pip` and update your `sentry.conf.py`
8 |
9 | The Access *Audience* and *Auth Domain* may be set in your OS environment or directly in Sentry conf file.
10 |
11 | ### Install with `pip`
12 |
13 | When it become public can change to:
14 |
15 | ```
16 | pip install "git+https://github.com/cloudflare/cloudflare-access-for-sentry@master#egg=sentry_cloudflare_access_auth&subdirectory=src"
17 | ```
18 |
19 | And restart your Sentry after updating the configuration.
20 |
21 | ### Configuration For Sentry 9.x
22 |
23 | ```
24 | ####################################################
25 | # Cloudflare Access Plugin Setup and Configuration #
26 | ####################################################
27 | from sentry_cloudflare_access_auth.helper import setup_cloudflare_access_for_sentry_9x
28 | MIDDLEWARE_CLASSES, AUTHENTICATION_BACKENDS, TEMPLATE_DIRS = setup_cloudflare_access_for_sentry_9x(MIDDLEWARE_CLASSES, AUTHENTICATION_BACKENDS, TEMPLATE_DIRS)
29 |
30 | CLOUDFLARE_ACCESS_POLICY_AUD = os.getenv("CF_POLICY_AUD")
31 | CLOUDFLARE_ACCESS_AUTH_DOMAIN = os.getenv("CF_AUTH_DOMAIN")
32 |
33 | # Emails that match this domain will authorize with their Access JWT.
34 | # All other emails will be required authorize again with their Sentry credentials.
35 | #CLOUDFLARE_ACCESS_ALLOWED_DOMAIN = None
36 | ```
37 |
38 | ### Configuration For Sentry 10.x
39 |
40 | ```
41 | ####################################################
42 | # Cloudflare Access Plugin Setup and Configuration #
43 | ####################################################
44 | from sentry_cloudflare_access_auth.helper import setup_cloudflare_access_for_sentry_10x
45 | MIDDLEWARE_CLASSES, AUTHENTICATION_BACKENDS, TEMPLATES = setup_cloudflare_access_for_sentry_10x(MIDDLEWARE_CLASSES, AUTHENTICATION_BACKENDS, TEMPLATES)
46 |
47 | CLOUDFLARE_ACCESS_POLICY_AUD = os.getenv("CF_POLICY_AUD")
48 | CLOUDFLARE_ACCESS_AUTH_DOMAIN = os.getenv("CF_AUTH_DOMAIN")
49 |
50 | # Emails that match this domain will authorize with their Access JWT.
51 | # All other emails will be required authorize again with their Sentry credentials.
52 | #CLOUDFLARE_ACCESS_ALLOWED_DOMAIN = None
53 | ```
54 |
55 | ## Plugin Development
56 |
57 | Prepare your python environment to build the plugin:
58 |
59 | ```
60 | pip install setuptools
61 | pip install wheel
62 | ```
63 |
64 | If you want to have code completion on your IDE probably is a good idea to also run:
65 |
66 | ```
67 | pip install 'django<1.10'
68 | ```
69 |
70 | Create a `sentry-docker-9x/.env` and `sentry-docker-10x/sentry.env` files with your Cloudflare Access test credentials like:
71 |
72 | ```
73 | CF_POLICY_AUD="YOUR POLICY AUDIENCE VALUE"
74 | CF_AUTH_DOMAIN="YOUR ACCESS LOGIN PAGE DOMAIN"
75 | ```
76 |
77 | Prepare your Sentry on Docker environment:
78 |
79 | ```
80 | #Or replace 9x with 10x
81 | cd sentry-docker-9x
82 | ./install.sh
83 | docker-compose up -d
84 | ```
85 |
86 | To reload the plugin code:
87 |
88 | ```
89 | #Or replace 9x with 10x
90 | ./build-docker-9x.sh
91 | ```
92 |
93 | ### Running tests
94 |
95 | Running tests for Sentry 9.x:
96 |
97 | ```
98 | ./test.sh -t 9
99 | ```
100 |
101 | Running tests for Sentry 10.x:
102 | ```
103 | ./test.sh -t 10
104 | ```
105 |
106 | Cleanup tests for 9.x or 10.x:
107 | ```
108 | ./test.sh -t 10 -c
109 | ```
110 |
111 | ### Django version
112 |
113 | Sentry 9.x is based on `Django 1.7` .
114 |
115 | Sentry 10.x is based on `Django 1.9` .
116 |
--------------------------------------------------------------------------------
/sentry-docker-10x/LICENSE:
--------------------------------------------------------------------------------
1 | Business Source License 1.1
2 |
3 | Parameters
4 |
5 | Licensor: Functional Software, Inc.
6 | Licensed Work: Sentry
7 | The Licensed Work is (c) 2019 Functional Software, Inc.
8 | Additional Use Grant: You may make use of the Licensed Work, provided that you do
9 | not use the Licensed Work for an Application Monitoring
10 | Service.
11 |
12 | An "Application Monitoring Service" is a commercial offering
13 | that allows third parties (other than your employees and
14 | contractors) to access the functionality of the Licensed
15 | Work so that such third parties directly benefit from the
16 | error-reporting or application monitoring features of the
17 | Licensed Work.
18 |
19 | Change Date: 2022-09-15
20 |
21 | Change License: Apache License, Version 2.0
22 |
23 | For information about alternative licensing arrangements for the Software,
24 | please visit: https://sentry.io/pricing/
25 |
26 | Notice
27 |
28 | The Business Source License (this document, or the "License") is not an Open
29 | Source license. However, the Licensed Work will eventually be made available
30 | under an Open Source License, as stated in this License.
31 |
32 | License text copyright (c) 2017 MariaDB Corporation Ab, All Rights Reserved.
33 | "Business Source License" is a trademark of MariaDB Corporation Ab.
34 |
35 | -----------------------------------------------------------------------------
36 |
37 | Business Source License 1.1
38 |
39 | Terms
40 |
41 | The Licensor hereby grants you the right to copy, modify, create derivative
42 | works, redistribute, and make non-production use of the Licensed Work. The
43 | Licensor may make an Additional Use Grant, above, permitting limited
44 | production use.
45 |
46 | Effective on the Change Date, or the fourth anniversary of the first publicly
47 | available distribution of a specific version of the Licensed Work under this
48 | License, whichever comes first, the Licensor hereby grants you rights under
49 | the terms of the Change License, and the rights granted in the paragraph
50 | above terminate.
51 |
52 | If your use of the Licensed Work does not comply with the requirements
53 | currently in effect as described in this License, you must purchase a
54 | commercial license from the Licensor, its affiliated entities, or authorized
55 | resellers, or you must refrain from using the Licensed Work.
56 |
57 | All copies of the original and modified Licensed Work, and derivative works
58 | of the Licensed Work, are subject to this License. This License applies
59 | separately for each version of the Licensed Work and the Change Date may vary
60 | for each version of the Licensed Work released by Licensor.
61 |
62 | You must conspicuously display this License on each original or modified copy
63 | of the Licensed Work. If you receive the Licensed Work in original or
64 | modified form from a third party, the terms and conditions set forth in this
65 | License apply to your use of that work.
66 |
67 | Any use of the Licensed Work in violation of this License will automatically
68 | terminate your rights under this License for the current and all other
69 | versions of the Licensed Work.
70 |
71 | This License does not grant you any right in any trademark or logo of
72 | Licensor or its affiliates (provided that you may use a trademark or logo of
73 | Licensor as expressly required by this License).
74 |
75 | TO THE EXTENT PERMITTED BY APPLICABLE LAW, THE LICENSED WORK IS PROVIDED ON
76 | AN "AS IS" BASIS. LICENSOR HEREBY DISCLAIMS ALL WARRANTIES AND CONDITIONS,
77 | EXPRESS OR IMPLIED, INCLUDING (WITHOUT LIMITATION) WARRANTIES OF
78 | MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, AND
79 | TITLE.
80 |
81 | MariaDB hereby grants you permission to use this License’s text to license
82 | your works, and to refer to it using the trademark "Business Source License",
83 | as long as you comply with the Covenants of Licensor below.
84 |
85 | Covenants of Licensor
86 |
87 | In consideration of the right to use this License’s text and the "Business
88 | Source License" name and trademark, Licensor covenants to MariaDB, and to all
89 | other recipients of the licensed work to be provided by Licensor:
90 |
91 | 1. To specify as the Change License the GPL Version 2.0 or any later version,
92 | or a license that is compatible with GPL Version 2.0 or a later version,
93 | where "compatible" means that software provided under the Change License can
94 | be included in a program with software provided under GPL Version 2.0 or a
95 | later version. Licensor may specify additional Change Licenses without
96 | limitation.
97 |
98 | 2. To either: (a) specify an additional grant of rights to use that does not
99 | impose any additional restriction on the right granted in this License, as
100 | the Additional Use Grant; or (b) insert the text "None".
101 |
102 | 3. To specify a Change Date.
103 |
104 | 4. Not to modify this License in any other way.
105 |
--------------------------------------------------------------------------------
/sentry-docker-10x/docker-compose.yml:
--------------------------------------------------------------------------------
1 | version: '3.4'
2 | x-restart-policy: &restart_policy
3 | restart: unless-stopped
4 | x-sentry-defaults: &sentry_defaults
5 | << : *restart_policy
6 | build:
7 | context: ./sentry
8 | args:
9 | - SENTRY_IMAGE
10 | image: sentry-onpremise-local
11 | depends_on:
12 | - redis
13 | - postgres
14 | - memcached
15 | - smtp
16 | - snuba-api
17 | - snuba-consumer
18 | - snuba-replacer
19 | - symbolicator
20 | - kafka
21 | environment:
22 | SNUBA: 'http://snuba-api:1218'
23 | volumes:
24 | - 'sentry-data:/data'
25 | x-snuba-defaults: &snuba_defaults
26 | << : *restart_policy
27 | depends_on:
28 | - redis
29 | - clickhouse
30 | - kafka
31 | image: 'getsentry/snuba:latest'
32 | environment:
33 | SNUBA_SETTINGS: docker
34 | CLICKHOUSE_HOST: clickhouse
35 | DEFAULT_BROKERS: 'kafka:9092'
36 | REDIS_HOST: redis
37 | # TODO: Remove these after getsentry/snuba#353
38 | UWSGI_MAX_REQUESTS: '10000'
39 | UWSGI_DISABLE_LOGGING: 'true'
40 | UWSGI_ENABLE_THREADS: 'true'
41 | UWSGI_DIE_ON_TERM: 'true'
42 | UWSGI_NEED_APP: 'true'
43 | UWSGI_IGNORE_SIGPIPE: 'true'
44 | UWSGI_IGNORE_WRITE_ERRORS: 'true'
45 | UWSGI_DISABLE_WRITE_EXCEPTION: 'true'
46 | services:
47 | smtp:
48 | << : *restart_policy
49 | image: tianon/exim4
50 | volumes:
51 | - 'sentry-smtp:/var/spool/exim4'
52 | - 'sentry-smtp-log:/var/log/exim4'
53 | memcached:
54 | << : *restart_policy
55 | image: 'memcached:1.5-alpine'
56 | redis:
57 | << : *restart_policy
58 | image: 'redis:5.0-alpine'
59 | volumes:
60 | - 'sentry-redis:/data'
61 | postgres:
62 | << : *restart_policy
63 | image: 'postgres:9.6'
64 | volumes:
65 | - 'sentry-postgres:/var/lib/postgresql/data'
66 | environment:
67 | POSTGRES_USER: sentry
68 | POSTGRES_PASSWORD: sentry
69 | zookeeper:
70 | << : *restart_policy
71 | image: 'confluentinc/cp-zookeeper:5.1.2'
72 | environment:
73 | ZOOKEEPER_CLIENT_PORT: '2181'
74 | CONFLUENT_SUPPORT_METRICS_ENABLE: 'false'
75 | ZOOKEEPER_LOG4J_ROOT_LOGLEVEL: 'WARN'
76 | ZOOKEEPER_TOOLS_LOG4J_LOGLEVEL: 'WARN'
77 | volumes:
78 | - 'sentry-zookeeper:/var/lib/zookeeper/data'
79 | - 'sentry-zookeeper-log:/var/lib/zookeeper/log'
80 | - 'sentry-secrets:/etc/zookeeper/secrets'
81 | kafka:
82 | << : *restart_policy
83 | depends_on:
84 | - zookeeper
85 | image: 'confluentinc/cp-kafka:5.1.2'
86 | environment:
87 | KAFKA_ZOOKEEPER_CONNECT: 'zookeeper:2181'
88 | KAFKA_ADVERTISED_LISTENERS: 'PLAINTEXT://kafka:9092'
89 | KAFKA_OFFSETS_TOPIC_REPLICATION_FACTOR: '1'
90 | CONFLUENT_SUPPORT_METRICS_ENABLE: 'false'
91 | KAFKA_LOG4J_LOGGERS: 'kafka.cluster=WARN,kafka.controller=WARN,kafka.coordinator=WARN,kafka.log=WARN,kafka.server=WARN,kafka.zookeeper=WARN,state.change.logger=WARN'
92 | KAFKA_LOG4J_ROOT_LOGLEVEL: 'WARN'
93 | KAFKA_TOOLS_LOG4J_LOGLEVEL: 'WARN'
94 | volumes:
95 | - 'sentry-kafka:/var/lib/kafka/data'
96 | - 'sentry-kafka-log:/var/lib/kafka/log'
97 | - 'sentry-secrets:/etc/kafka/secrets'
98 | clickhouse:
99 | << : *restart_policy
100 | image: 'yandex/clickhouse-server:19.4'
101 | ulimits:
102 | nofile:
103 | soft: 262144
104 | hard: 262144
105 | volumes:
106 | - 'sentry-clickhouse:/var/lib/clickhouse'
107 | snuba-api:
108 | << : *snuba_defaults
109 | snuba-consumer:
110 | << : *snuba_defaults
111 | command: consumer --auto-offset-reset=latest --max-batch-time-ms 750
112 | snuba-replacer:
113 | << : *snuba_defaults
114 | command: replacer --auto-offset-reset=latest --max-batch-size 3
115 | snuba-cleanup:
116 | << : *snuba_defaults
117 | image: snuba-cleanup-onpremise-local
118 | build:
119 | context: ./cron
120 | args:
121 | BASE_IMAGE: 'getsentry/snuba:latest'
122 | command: '"*/5 * * * * gosu snuba snuba cleanup --dry-run False"'
123 | symbolicator:
124 | << : *restart_policy
125 | image: 'getsentry/symbolicator:latest'
126 | volumes:
127 | - 'sentry-symbolicator:/data'
128 | command: run
129 | symbolicator-cleanup:
130 | image: symbolicator-cleanup-onpremise-local
131 | build:
132 | context: ./cron
133 | args:
134 | BASE_IMAGE: 'getsentry/symbolicator:latest'
135 | command: '"55 23 * * * gosu symbolicator symbolicator cleanup"'
136 | volumes:
137 | - 'sentry-symbolicator:/data'
138 | web:
139 | << : *sentry_defaults
140 | env_file:
141 | - sentry.env
142 | ports:
143 | - '9000:9000/tcp'
144 | cron:
145 | << : *sentry_defaults
146 | command: run cron
147 | worker:
148 | << : *sentry_defaults
149 | command: run worker
150 | sentry-cleanup:
151 | << : *sentry_defaults
152 | image: sentry-cleanup-onpremise-local
153 | build:
154 | context: ./cron
155 | args:
156 | BASE_IMAGE: 'sentry-onpremise-local'
157 | command: '"0 0 * * * gosu sentry sentry cleanup --days $SENTRY_EVENT_RETENTION_DAYS"'
158 | volumes:
159 | sentry-data:
160 | external: true
161 | sentry-postgres:
162 | external: true
163 | sentry-redis:
164 | external: true
165 | sentry-zookeeper:
166 | external: true
167 | sentry-kafka:
168 | external: true
169 | sentry-clickhouse:
170 | external: true
171 | sentry-symbolicator:
172 | external: true
173 | sentry-secrets:
174 | sentry-smtp:
175 | sentry-zookeeper-log:
176 | sentry-kafka-log:
177 | sentry-smtp-log:
178 |
--------------------------------------------------------------------------------
/test/selenium_test/wait-for-it.sh:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bash
2 | # Use this script to test if a given TCP host/port are available
3 |
4 | WAITFORIT_cmdname=${0##*/}
5 |
6 | echoerr() { if [[ $WAITFORIT_QUIET -ne 1 ]]; then echo "$@" 1>&2; fi }
7 |
8 | usage()
9 | {
10 | cat << USAGE >&2
11 | Usage:
12 | $WAITFORIT_cmdname host:port [-s] [-t timeout] [-- command args]
13 | -h HOST | --host=HOST Host or IP under test
14 | -p PORT | --port=PORT TCP port under test
15 | Alternatively, you specify the host and port as host:port
16 | -s | --strict Only execute subcommand if the test succeeds
17 | -q | --quiet Don't output any status messages
18 | -t TIMEOUT | --timeout=TIMEOUT
19 | Timeout in seconds, zero for no timeout
20 | -- COMMAND ARGS Execute command with args after the test finishes
21 | USAGE
22 | exit 1
23 | }
24 |
25 | wait_for()
26 | {
27 | if [[ $WAITFORIT_TIMEOUT -gt 0 ]]; then
28 | echoerr "$WAITFORIT_cmdname: waiting $WAITFORIT_TIMEOUT seconds for $WAITFORIT_HOST:$WAITFORIT_PORT"
29 | else
30 | echoerr "$WAITFORIT_cmdname: waiting for $WAITFORIT_HOST:$WAITFORIT_PORT without a timeout"
31 | fi
32 | WAITFORIT_start_ts=$(date +%s)
33 | while :
34 | do
35 | if [[ $WAITFORIT_ISBUSY -eq 1 ]]; then
36 | nc -z $WAITFORIT_HOST $WAITFORIT_PORT
37 | WAITFORIT_result=$?
38 | else
39 | (echo > /dev/tcp/$WAITFORIT_HOST/$WAITFORIT_PORT) >/dev/null 2>&1
40 | WAITFORIT_result=$?
41 | fi
42 | if [[ $WAITFORIT_result -eq 0 ]]; then
43 | WAITFORIT_end_ts=$(date +%s)
44 | echoerr "$WAITFORIT_cmdname: $WAITFORIT_HOST:$WAITFORIT_PORT is available after $((WAITFORIT_end_ts - WAITFORIT_start_ts)) seconds"
45 | break
46 | fi
47 | sleep 1
48 | done
49 | return $WAITFORIT_result
50 | }
51 |
52 | wait_for_wrapper()
53 | {
54 | # In order to support SIGINT during timeout: http://unix.stackexchange.com/a/57692
55 | if [[ $WAITFORIT_QUIET -eq 1 ]]; then
56 | timeout $WAITFORIT_BUSYTIMEFLAG $WAITFORIT_TIMEOUT $0 --quiet --child --host=$WAITFORIT_HOST --port=$WAITFORIT_PORT --timeout=$WAITFORIT_TIMEOUT &
57 | else
58 | timeout $WAITFORIT_BUSYTIMEFLAG $WAITFORIT_TIMEOUT $0 --child --host=$WAITFORIT_HOST --port=$WAITFORIT_PORT --timeout=$WAITFORIT_TIMEOUT &
59 | fi
60 | WAITFORIT_PID=$!
61 | trap "kill -INT -$WAITFORIT_PID" INT
62 | wait $WAITFORIT_PID
63 | WAITFORIT_RESULT=$?
64 | if [[ $WAITFORIT_RESULT -ne 0 ]]; then
65 | echoerr "$WAITFORIT_cmdname: timeout occurred after waiting $WAITFORIT_TIMEOUT seconds for $WAITFORIT_HOST:$WAITFORIT_PORT"
66 | fi
67 | return $WAITFORIT_RESULT
68 | }
69 |
70 | # process arguments
71 | while [[ $# -gt 0 ]]
72 | do
73 | case "$1" in
74 | *:* )
75 | WAITFORIT_hostport=(${1//:/ })
76 | WAITFORIT_HOST=${WAITFORIT_hostport[0]}
77 | WAITFORIT_PORT=${WAITFORIT_hostport[1]}
78 | shift 1
79 | ;;
80 | --child)
81 | WAITFORIT_CHILD=1
82 | shift 1
83 | ;;
84 | -q | --quiet)
85 | WAITFORIT_QUIET=1
86 | shift 1
87 | ;;
88 | -s | --strict)
89 | WAITFORIT_STRICT=1
90 | shift 1
91 | ;;
92 | -h)
93 | WAITFORIT_HOST="$2"
94 | if [[ $WAITFORIT_HOST == "" ]]; then break; fi
95 | shift 2
96 | ;;
97 | --host=*)
98 | WAITFORIT_HOST="${1#*=}"
99 | shift 1
100 | ;;
101 | -p)
102 | WAITFORIT_PORT="$2"
103 | if [[ $WAITFORIT_PORT == "" ]]; then break; fi
104 | shift 2
105 | ;;
106 | --port=*)
107 | WAITFORIT_PORT="${1#*=}"
108 | shift 1
109 | ;;
110 | -t)
111 | WAITFORIT_TIMEOUT="$2"
112 | if [[ $WAITFORIT_TIMEOUT == "" ]]; then break; fi
113 | shift 2
114 | ;;
115 | --timeout=*)
116 | WAITFORIT_TIMEOUT="${1#*=}"
117 | shift 1
118 | ;;
119 | --)
120 | shift
121 | WAITFORIT_CLI=("$@")
122 | break
123 | ;;
124 | --help)
125 | usage
126 | ;;
127 | *)
128 | echoerr "Unknown argument: $1"
129 | usage
130 | ;;
131 | esac
132 | done
133 |
134 | if [[ "$WAITFORIT_HOST" == "" || "$WAITFORIT_PORT" == "" ]]; then
135 | echoerr "Error: you need to provide a host and port to test."
136 | usage
137 | fi
138 |
139 | WAITFORIT_TIMEOUT=${WAITFORIT_TIMEOUT:-15}
140 | WAITFORIT_STRICT=${WAITFORIT_STRICT:-0}
141 | WAITFORIT_CHILD=${WAITFORIT_CHILD:-0}
142 | WAITFORIT_QUIET=${WAITFORIT_QUIET:-0}
143 |
144 | # check to see if timeout is from busybox?
145 | WAITFORIT_TIMEOUT_PATH=$(type -p timeout)
146 | WAITFORIT_TIMEOUT_PATH=$(realpath $WAITFORIT_TIMEOUT_PATH 2>/dev/null || readlink -f $WAITFORIT_TIMEOUT_PATH)
147 | if [[ $WAITFORIT_TIMEOUT_PATH =~ "busybox" ]]; then
148 | WAITFORIT_ISBUSY=1
149 | WAITFORIT_BUSYTIMEFLAG="-t"
150 |
151 | else
152 | WAITFORIT_ISBUSY=0
153 | WAITFORIT_BUSYTIMEFLAG=""
154 | fi
155 |
156 | if [[ $WAITFORIT_CHILD -gt 0 ]]; then
157 | wait_for
158 | WAITFORIT_RESULT=$?
159 | exit $WAITFORIT_RESULT
160 | else
161 | if [[ $WAITFORIT_TIMEOUT -gt 0 ]]; then
162 | wait_for_wrapper
163 | WAITFORIT_RESULT=$?
164 | else
165 | wait_for
166 | WAITFORIT_RESULT=$?
167 | fi
168 | fi
169 |
170 | if [[ $WAITFORIT_CLI != "" ]]; then
171 | if [[ $WAITFORIT_RESULT -ne 0 && $WAITFORIT_STRICT -eq 1 ]]; then
172 | echoerr "$WAITFORIT_cmdname: strict mode, refusing to execute subprocess"
173 | exit $WAITFORIT_RESULT
174 | fi
175 | exec "${WAITFORIT_CLI[@]}"
176 | else
177 | exit $WAITFORIT_RESULT
178 | fi
179 |
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | CLOUDFLARE ACCESS PLUGIN FOR SENTRY LICENSE
2 |
3 | Your installation of this software constitutes a symbol of your signature
4 | indicating that you accept the terms of this Cloudflare Access Plugin for
5 | Sentry License (this “Agreement”). This Agreement is a binding legal
6 | agreement between you and Cloudflare, Inc. (“Cloudflare”) for the Cloudflare
7 | Access Plugin for Sentry software code made available to you by Cloudflare or
8 | its authorized representative (the “Software”). If you are not accepting this
9 | Agreement as an individual, then “you” means your company, its officers,
10 | members, employees, agents, representatives, successors and assigns.
11 |
12 | BY USING THE SOFTWARE, YOU ARE INDICATING THAT YOU HAVE READ, AND AGREE TO BE
13 | BOUND BY, THIS AGREEMENT IN ITS ENTIRETY, WITHOUT LIMITATION OR QUALIFICATION,
14 | AS WELL AS BY ALL APPLICABLE LAWS AND REGULATIONS, AS IF YOU HAD HANDWRITTEN
15 | YOUR NAME ON AND SIGNED THIS AGREEMENT. IF YOU DO NOT AGREE TO THE TERMS AND
16 | CONDITIONS CONTAINED IN THIS AGREEMENT, YOU MAY NOT USE THE SOFTWARE.
17 |
18 | 1. GRANT OF RIGHTS
19 |
20 | 1.1 Grant of License. Subject to the terms and conditions of this
21 | Agreement, Cloudflare hereby grants you a limited, revocable, non-exclusive,
22 | non-sublicensable, and non-transferable copyright license to install and use the
23 | Software in connection with Cloudflare’s cloud-based solutions (the “License”).
24 | For any elements of the Software provided to you in source code, you may modify
25 | such source code solely to the extent necessary to support your permitted use of
26 | the Software (collectively, “Modifications”); provided, that in no event may you
27 | create Modifications for use with products or services other than those provided
28 | to you by or on behalf of Cloudflare, and you agree to indemnify, defend and
29 | hold Cloudflare harmless from and against any and all claims, costs, damages,
30 | notices affixed to, distributed with or associated with the Software. Except for
31 | the rights and licenses explicitly granted herein, as between you and
32 | Cloudflare, Cloudflare and/or its licensors own and shall retain all right,
33 | title, and interest in and to the Software, including any and all technology
34 | embodied therein, including all copyrights, patents, trade secrets, trade dress
35 | and other proprietary rights associated therewith, and any derivative works
36 | created therefrom.
37 |
38 | 2. DISCLAIMER; NO WARRANTIES
39 |
40 | THE SOFTWARE IS MADE AVAILABLE TO YOU ON AN "AS IS" AND "AS AVAILABLE" BASIS,
41 | WITH THE EXPRESS UNDERSTANDING THAT CLOUDFLARE HAS NO OBLIGATION TO MONITOR,
42 | CONTROL, OR VET THE SOFTWARE. AS SUCH, YOUR USE OF THE SOFTWARE IS AT YOUR OWN
43 | DISCRETION AND RISK. CLOUDFLARE MAKES NO CLAIMS OR PROMISES ABOUT THE QUALITY,
44 | ACCURACY, OR RELIABILITY OF THE SOFTWARE, ITS SAFETY OR SECURITY. ACCORDINGLY,
45 | CLOUDFLARE IS NOT LIABLE TO YOU FOR ANY LOSS OR DAMAGE THAT MIGHT ARISE, FOR
46 | EXAMPLE, FROM THE SOFTWARE'S INOPERABILITY, UNAVAILABILITY OR SECURITY
47 | VULNERABILITIES. ACCORDINGLY, TO THE EXTENT PERMISSIBLE UNDER APPLCIABLE LAW,
48 | CLOUDFLARE EXPRESSLY DISCLAIMS ALL WARRANTIES, WHETHER EXPRESS OR IMPLIED,
49 | INCLUDING IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
50 | PURPOSE, AND NON-INFRINGEMENT. FOR THE AVOIDANCE OF DOUBT, YOU ACKNOWLEDGE AND
51 | AGREE THAT CLOUDFLARE IS NOT OBLIGATED TO PROVIDE YOU WITH SUPPORT FOR THE
52 | SOFTWARE OR CORRECT ANY BUGS, DEFECTS, OR ERRORS IN THE SOFTWARE.
53 |
54 | 3. LIMITATION OF LIABILITY
55 |
56 | IN NO EVENT WILL CLOUDFLARE BE LIABLE TO YOU OR ANY THIRD PARTY FOR ANY
57 | INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL OR PUNITIVE DAMAGES ARISING OUT OF
58 | OR RELATING TO YOUR ACCESS TO OR USE OF, OR YOUR INABILITY TO ACCESS OR USE, THE
59 | SOFTWARE, WHETHER BASED ON WARRANTY, CONTRACT, TORT (INCLUDING NEGLIGENCE),
60 | STATUTE OR ANY OTHER LEGAL THEORY, WHETHER OR NOT CLOUDFLARE HAS BEEN INFORMED
61 | OF THE POSSIBILITY OF SUCH DAMAGE.
62 |
63 | 4. TERM AND TERMINATION
64 |
65 | This Agreement shall be effective upon download or installation of the Software
66 | by you, and shall continue until terminated in accordance with this Section 4.
67 | This Agreement may be terminated by Cloudflare if you are in material breach of
68 | this Agreement or any other agreement between you and Cloudflare or its
69 | authorized representative (a “Related Agreement”), including, without
70 | limitation, if you fail to pay any amounts due to Cloudflare under a Related
71 | Agreement, or if all Related Agreements are terminated or expired. Upon the
72 | termination of this Agreement for any reason all license rights granted
73 | hereunder shall terminate immediately.
74 |
75 | 5. MISCELLANEOUS
76 |
77 | Cloudflare may modify this Agreement upon written notice to you. No failure or
78 | delay by either party in exercising any right, power, or remedy under this
79 | Agreement, except as specifically provided herein, shall operate as a waiver of
80 | any such right, power or remedy. This Agreement shall be governed by the laws of
81 | the State of California, without giving effect to any conflicts of laws
82 | principles that require the application of the law of a different jurisdiction,
83 | and excluding the United Nations Convention on Contracts for the International
84 | Sale of Goods. The parties to this Agreement are independent contractors.
85 | Neither party shall be deemed to be an employee, agent, partner or legal
86 | representative of the other for any purpose and neither shall have any right,
87 | power or authority to create any obligation or responsibility on behalf of the
88 | other. If any provision of this Agreement is held by a court of competent
89 | jurisdiction to be contrary to law, such provision shall be changed and
90 | interpreted so as to best accomplish the objectives of the original provision to
91 | the fullest extent allowed by law, and the remaining provisions of this
92 | Agreement shall remain in full force and effect. This Agreement constitutes the
93 | final, complete and exclusive agreement between you and Cloudflare with respect
94 | to the License and the Software, and supersedes all previous written and oral
95 | agreements and communications related thereto.
96 |
97 | Last Updated: October 1, 2018
98 |
--------------------------------------------------------------------------------
/src/LICENSE:
--------------------------------------------------------------------------------
1 | CLOUDFLARE ACCESS PLUGIN FOR SENTRY LICENSE
2 |
3 | Your installation of this software constitutes a symbol of your signature
4 | indicating that you accept the terms of this Cloudflare Access Plugin for
5 | Sentry License (this “Agreement”). This Agreement is a binding legal
6 | agreement between you and Cloudflare, Inc. (“Cloudflare”) for the Cloudflare
7 | Access Plugin for Sentry software code made available to you by Cloudflare or
8 | its authorized representative (the “Software”). If you are not accepting this
9 | Agreement as an individual, then “you” means your company, its officers,
10 | members, employees, agents, representatives, successors and assigns.
11 |
12 | BY USING THE SOFTWARE, YOU ARE INDICATING THAT YOU HAVE READ, AND AGREE TO BE
13 | BOUND BY, THIS AGREEMENT IN ITS ENTIRETY, WITHOUT LIMITATION OR QUALIFICATION,
14 | AS WELL AS BY ALL APPLICABLE LAWS AND REGULATIONS, AS IF YOU HAD HANDWRITTEN
15 | YOUR NAME ON AND SIGNED THIS AGREEMENT. IF YOU DO NOT AGREE TO THE TERMS AND
16 | CONDITIONS CONTAINED IN THIS AGREEMENT, YOU MAY NOT USE THE SOFTWARE.
17 |
18 | 1. GRANT OF RIGHTS
19 |
20 | 1.1 Grant of License. Subject to the terms and conditions of this
21 | Agreement, Cloudflare hereby grants you a limited, revocable, non-exclusive,
22 | non-sublicensable, and non-transferable copyright license to install and use the
23 | Software in connection with Cloudflare’s cloud-based solutions (the “License”).
24 | For any elements of the Software provided to you in source code, you may modify
25 | such source code solely to the extent necessary to support your permitted use of
26 | the Software (collectively, “Modifications”); provided, that in no event may you
27 | create Modifications for use with products or services other than those provided
28 | to you by or on behalf of Cloudflare, and you agree to indemnify, defend and
29 | hold Cloudflare harmless from and against any and all claims, costs, damages,
30 | notices affixed to, distributed with or associated with the Software. Except for
31 | the rights and licenses explicitly granted herein, as between you and
32 | Cloudflare, Cloudflare and/or its licensors own and shall retain all right,
33 | title, and interest in and to the Software, including any and all technology
34 | embodied therein, including all copyrights, patents, trade secrets, trade dress
35 | and other proprietary rights associated therewith, and any derivative works
36 | created therefrom.
37 |
38 | 2. DISCLAIMER; NO WARRANTIES
39 |
40 | THE SOFTWARE IS MADE AVAILABLE TO YOU ON AN "AS IS" AND "AS AVAILABLE" BASIS,
41 | WITH THE EXPRESS UNDERSTANDING THAT CLOUDFLARE HAS NO OBLIGATION TO MONITOR,
42 | CONTROL, OR VET THE SOFTWARE. AS SUCH, YOUR USE OF THE SOFTWARE IS AT YOUR OWN
43 | DISCRETION AND RISK. CLOUDFLARE MAKES NO CLAIMS OR PROMISES ABOUT THE QUALITY,
44 | ACCURACY, OR RELIABILITY OF THE SOFTWARE, ITS SAFETY OR SECURITY. ACCORDINGLY,
45 | CLOUDFLARE IS NOT LIABLE TO YOU FOR ANY LOSS OR DAMAGE THAT MIGHT ARISE, FOR
46 | EXAMPLE, FROM THE SOFTWARE'S INOPERABILITY, UNAVAILABILITY OR SECURITY
47 | VULNERABILITIES. ACCORDINGLY, TO THE EXTENT PERMISSIBLE UNDER APPLCIABLE LAW,
48 | CLOUDFLARE EXPRESSLY DISCLAIMS ALL WARRANTIES, WHETHER EXPRESS OR IMPLIED,
49 | INCLUDING IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
50 | PURPOSE, AND NON-INFRINGEMENT. FOR THE AVOIDANCE OF DOUBT, YOU ACKNOWLEDGE AND
51 | AGREE THAT CLOUDFLARE IS NOT OBLIGATED TO PROVIDE YOU WITH SUPPORT FOR THE
52 | SOFTWARE OR CORRECT ANY BUGS, DEFECTS, OR ERRORS IN THE SOFTWARE.
53 |
54 | 3. LIMITATION OF LIABILITY
55 |
56 | IN NO EVENT WILL CLOUDFLARE BE LIABLE TO YOU OR ANY THIRD PARTY FOR ANY
57 | INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL OR PUNITIVE DAMAGES ARISING OUT OF
58 | OR RELATING TO YOUR ACCESS TO OR USE OF, OR YOUR INABILITY TO ACCESS OR USE, THE
59 | SOFTWARE, WHETHER BASED ON WARRANTY, CONTRACT, TORT (INCLUDING NEGLIGENCE),
60 | STATUTE OR ANY OTHER LEGAL THEORY, WHETHER OR NOT CLOUDFLARE HAS BEEN INFORMED
61 | OF THE POSSIBILITY OF SUCH DAMAGE.
62 |
63 | 4. TERM AND TERMINATION
64 |
65 | This Agreement shall be effective upon download or installation of the Software
66 | by you, and shall continue until terminated in accordance with this Section 4.
67 | This Agreement may be terminated by Cloudflare if you are in material breach of
68 | this Agreement or any other agreement between you and Cloudflare or its
69 | authorized representative (a “Related Agreement”), including, without
70 | limitation, if you fail to pay any amounts due to Cloudflare under a Related
71 | Agreement, or if all Related Agreements are terminated or expired. Upon the
72 | termination of this Agreement for any reason all license rights granted
73 | hereunder shall terminate immediately.
74 |
75 | 5. MISCELLANEOUS
76 |
77 | Cloudflare may modify this Agreement upon written notice to you. No failure or
78 | delay by either party in exercising any right, power, or remedy under this
79 | Agreement, except as specifically provided herein, shall operate as a waiver of
80 | any such right, power or remedy. This Agreement shall be governed by the laws of
81 | the State of California, without giving effect to any conflicts of laws
82 | principles that require the application of the law of a different jurisdiction,
83 | and excluding the United Nations Convention on Contracts for the International
84 | Sale of Goods. The parties to this Agreement are independent contractors.
85 | Neither party shall be deemed to be an employee, agent, partner or legal
86 | representative of the other for any purpose and neither shall have any right,
87 | power or authority to create any obligation or responsibility on behalf of the
88 | other. If any provision of this Agreement is held by a court of competent
89 | jurisdiction to be contrary to law, such provision shall be changed and
90 | interpreted so as to best accomplish the objectives of the original provision to
91 | the fullest extent allowed by law, and the remaining provisions of this
92 | Agreement shall remain in full force and effect. This Agreement constitutes the
93 | final, complete and exclusive agreement between you and Cloudflare with respect
94 | to the License and the Software, and supersedes all previous written and oral
95 | agreements and communications related thereto.
96 |
97 | Last Updated: October 1, 2018
98 |
--------------------------------------------------------------------------------
/sentry-docker-10x/install.sh:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bash
2 | set -e
3 |
4 | MIN_DOCKER_VERSION='17.05.0'
5 | MIN_COMPOSE_VERSION='1.19.0'
6 | MIN_RAM=2400 # MB
7 |
8 | SENTRY_CONFIG_PY='sentry/sentry.conf.py'
9 | SENTRY_CONFIG_YML='sentry/config.yml'
10 | SENTRY_EXTRA_REQUIREMENTS='sentry/requirements.txt'
11 |
12 | DID_CLEAN_UP=0
13 | # the cleanup function will be the exit point
14 | cleanup () {
15 | if [ "$DID_CLEAN_UP" -eq 1 ]; then
16 | return 0;
17 | fi
18 | echo "Cleaning up..."
19 | docker-compose stop &> /dev/null
20 | DID_CLEAN_UP=1
21 | }
22 | trap cleanup ERR INT TERM
23 |
24 | echo "Checking minimum requirements..."
25 |
26 | DOCKER_VERSION=$(docker version --format '{{.Server.Version}}')
27 | COMPOSE_VERSION=$(docker-compose --version | sed 's/docker-compose version \(.\{1,\}\),.*/\1/')
28 | RAM_AVAILABLE_IN_DOCKER=$(docker run --rm busybox free -m 2>/dev/null | awk '/Mem/ {print $2}');
29 |
30 | # Compare dot-separated strings - function below is inspired by https://stackoverflow.com/a/37939589/808368
31 | function ver () { echo "$@" | awk -F. '{ printf("%d%03d%03d", $1,$2,$3); }'; }
32 |
33 | # Thanks to https://stackoverflow.com/a/25123013/90297 for the quick `sed` pattern
34 | function ensure_file_from_example {
35 | if [ -f "$1" ]; then
36 | echo "$1 already exists, skipped creation."
37 | else
38 | echo "Creating $1..."
39 | cp -n $(echo "$1" | sed 's/\.[^.]*$/.example&/') "$1"
40 | fi
41 | }
42 |
43 | if [ $(ver $DOCKER_VERSION) -lt $(ver $MIN_DOCKER_VERSION) ]; then
44 | echo "FAIL: Expected minimum Docker version to be $MIN_DOCKER_VERSION but found $DOCKER_VERSION"
45 | exit -1
46 | fi
47 |
48 | if [ $(ver $COMPOSE_VERSION) -lt $(ver $MIN_COMPOSE_VERSION) ]; then
49 | echo "FAIL: Expected minimum docker-compose version to be $MIN_COMPOSE_VERSION but found $COMPOSE_VERSION"
50 | exit -1
51 | fi
52 |
53 | if [ "$RAM_AVAILABLE_IN_DOCKER" -lt "$MIN_RAM" ]; then
54 | echo "FAIL: Expected minimum RAM available to Docker to be $MIN_RAM MB but found $RAM_AVAILABLE_IN_DOCKER MB"
55 | exit -1
56 | fi
57 |
58 | # Ensure nothing is working while we install/update
59 | docker-compose stop
60 |
61 | echo ""
62 | echo "Creating volumes for persistent storage..."
63 | echo "Created $(docker volume create --name=sentry-data)."
64 | echo "Created $(docker volume create --name=sentry-postgres)."
65 | echo "Created $(docker volume create --name=sentry-redis)."
66 | echo "Created $(docker volume create --name=sentry-zookeeper)."
67 | echo "Created $(docker volume create --name=sentry-kafka)."
68 | echo "Created $(docker volume create --name=sentry-clickhouse)."
69 | echo "Created $(docker volume create --name=sentry-symbolicator)."
70 |
71 | echo ""
72 | ensure_file_from_example $SENTRY_CONFIG_PY
73 | ensure_file_from_example $SENTRY_CONFIG_YML
74 | ensure_file_from_example $SENTRY_EXTRA_REQUIREMENTS
75 |
76 | echo ""
77 | echo "Generating secret key..."
78 | # This is to escape the secret key to be used in sed below
79 | SECRET_KEY=$(head /dev/urandom | tr -dc "a-z0-9@#%^&*(-_=+)" | head -c 50 | sed -e 's/[\/&]/\\&/g')
80 | sed -i -e 's/^system.secret-key:.*$/system.secret-key: '"'$SECRET_KEY'"'/' $SENTRY_CONFIG_YML
81 | echo "Secret key written to $SENTRY_CONFIG_YML"
82 |
83 | echo ""
84 | echo "Building and tagging Docker images..."
85 | echo ""
86 | # Build the sentry onpremise image first as it is needed for the cron image
87 | docker-compose build --force-rm web
88 | docker-compose build --force-rm
89 | echo ""
90 | echo "Docker images built."
91 |
92 | # Very naively check whether there's an existing sentry-postgres volume and the PG version in it
93 | if [[ $(docker volume ls -q --filter name=sentry-postgres) && $(docker run --rm -v sentry-postgres:/db busybox cat /db/PG_VERSION 2>/dev/null) == "9.5" ]]; then
94 | # If this is Postgres 9.5 data, start upgrading it to 9.6 in a new volume
95 | docker run --rm \
96 | -v sentry-postgres:/var/lib/postgresql/9.5/data \
97 | -v sentry-postgres-new:/var/lib/postgresql/9.6/data \
98 | tianon/postgres-upgrade:9.5-to-9.6
99 |
100 | # Get rid of the old volume as we'll rename the new one to that
101 | docker volume rm sentry-postgres
102 | docker volume create --name sentry-postgres
103 | # There's no rename volume in Docker so copy the contents from old to new name
104 | # Also append the `host all all all trust` line as `tianon/postgres-upgrade:9.5-to-9.6`
105 | # doesn't do that automatically.
106 | docker run --rm -v sentry-postgres-new:/from -v sentry-postgres:/to alpine ash -c \
107 | "cd /from ; cp -av . /to ; echo 'host all all all trust' >> /to/pg_hba.conf"
108 | # Finally, remove the new old volume as we are all in sentry-postgres now
109 | docker volume rm sentry-postgres-new
110 | fi
111 |
112 | echo ""
113 | echo "Setting up database..."
114 | if [ $CI ]; then
115 | docker-compose run --rm web upgrade --noinput
116 | echo ""
117 | echo "Did not prompt for user creation due to non-interactive shell."
118 | echo "Run the following command to create one yourself (recommended):"
119 | echo ""
120 | echo " docker-compose run --rm web createuser"
121 | echo ""
122 | else
123 | docker-compose run --rm web upgrade
124 | fi
125 |
126 | SENTRY_DATA_NEEDS_MIGRATION=$(docker run --rm -v sentry-data:/data alpine ash -c "[ ! -d '/data/files' ] && ls -A1x /data | wc -l")
127 | if [ "$SENTRY_DATA_NEEDS_MIGRATION" ]; then
128 | echo "Migrating file storage..."
129 | docker run --rm -v sentry-data:/data alpine ash -c \
130 | "mkdir -p /tmp/files; mv /data/* /tmp/files/; mv /tmp/files /data/files"
131 | fi
132 |
133 | echo "Boostrapping Snuba..."
134 | docker-compose up -d kafka redis clickhouse
135 | until $(docker-compose run --rm clickhouse clickhouse-client -h clickhouse --query="SHOW TABLES;" | grep -q sentry_local); do
136 | # `bootstrap` is for fresh installs, and `migrate` is for existing installs
137 | # Running them both for both cases is harmless so we blindly run them
138 | docker-compose run --rm snuba-api bootstrap --force || true;
139 | docker-compose run --rm snuba-api migrate || true;
140 | done;
141 | echo ""
142 |
143 | set -o allexport
144 | source .env
145 | set +o allexport
146 | echo "Migrating old events for the last $SENTRY_EVENT_RETENTION_DAYS days..."
147 | docker-compose run --rm web django backfill_eventstream --no-input --last-days $SENTRY_EVENT_RETENTION_DAYS
148 | echo ""
149 |
150 | cleanup
151 |
152 | echo ""
153 | echo "----------------"
154 | echo "You're all done! Run the following command to get Sentry running:"
155 | echo ""
156 | echo " docker-compose up -d"
157 | echo ""
158 |
--------------------------------------------------------------------------------
/src/sentry_cloudflare_access_auth/middleware.py:
--------------------------------------------------------------------------------
1 | from __future__ import absolute_import
2 |
3 | import logging
4 | import requests
5 | import jwt
6 | import json
7 |
8 | from django.core.exceptions import ValidationError
9 | from django.conf import settings
10 | from django.http import HttpResponse
11 | from django.contrib.auth import authenticate, login
12 | from django.shortcuts import redirect
13 | from sentry.web.helpers import render_to_response
14 |
15 | from sentry_cloudflare_access_auth.backend import MultipleUsersMatchingEmailException, UserIsNotActiveException, UserNotFoundException
16 |
17 | logger = logging.getLogger(__name__)
18 | #logger.setLevel('DEBUG')
19 |
20 | static_resources_extension = ["js", "css", "png", "jpg", "jpeg", "woff", "ttf"]
21 |
22 | cf_sentry_logout_cookie_name = "cf_sentry_logout"
23 | cf_sentry_default_flow_cookie_name = "cf_sentry_default_flow"
24 |
25 | class CloudflareAccessAuthMiddleware:
26 | _certs_url = "https://{}/cdn-cgi/access/certs".format(settings.CLOUDFLARE_ACCESS_AUTH_DOMAIN)
27 |
28 |
29 | def __init__(self, get_response=None):
30 | self.get_response = get_response
31 | logger.info("CloudflareAccessAuthMiddleware initialized")
32 | logger.info("Certificates URL: %s", self._certs_url)
33 |
34 |
35 | def process_request(self, request):
36 | logger.debug("Handling request...")
37 |
38 | if self._should_redirect_to_logout(request):
39 | return self._redirect_to_logout(request)
40 |
41 |
42 | if self._proceed_with_token_verification(request):
43 | try:
44 | token = self._get_token_payload_from_request(request)
45 | except JWTValidationException as e:
46 | return self._render_error(request, e.message)
47 |
48 | if token == None:
49 | logger.debug("JWT token not present, bypassing auth process: %s", request.get_full_path())
50 | return None
51 |
52 | if u'common_name' in token and token[u'common_name']:
53 | logger.debug("JWT token contains common_name, bypassing auth process for service token: %s", request.get_full_path())
54 | return None
55 |
56 | user_email = "" if not u'email' in token else token[u'email']
57 | logger.info("Token user_email: %s", user_email)
58 |
59 |
60 | try:
61 | user = authenticate(email=user_email, jwt_validated=True)
62 | except MultipleUsersMatchingEmailException:
63 | return self._render_error(request, (
64 | "More than one user matches the email %s" % user_email
65 | ))
66 | except UserIsNotActiveException:
67 | return self._render_error(request, (
68 | "The user is currently disabled"
69 | ))
70 | except UserNotFoundException as e:
71 | return self._render_error(request, (
72 | e.message
73 | ))
74 | else:
75 | if not user == None:
76 | logger.info("Login user: %s", user.username)
77 | login(request, user)
78 |
79 | #continue to next middleware
80 | return None
81 |
82 |
83 | def process_response(self, request, response):
84 | logger.debug("response: %s - %s", request.method, request.path)
85 | if request.path == "/api/0/auth/" and request.method == 'DELETE':
86 | response.set_cookie(cf_sentry_logout_cookie_name, "1")
87 |
88 | if self._should_go_to_login_form(request):
89 | response.set_cookie(cf_sentry_default_flow_cookie_name, "1")
90 |
91 | #When authenticated, removes the default flow cookie
92 | if self._is_already_authenticated(request):
93 | response.delete_cookie(cf_sentry_default_flow_cookie_name)
94 |
95 | return response
96 |
97 |
98 | def _should_redirect_to_logout(self, request):
99 | return cf_sentry_logout_cookie_name in request.COOKIES and request.COOKIES[cf_sentry_logout_cookie_name] == "1"
100 |
101 |
102 | def _redirect_to_logout(self, request):
103 | logout_absolute_url = request.build_absolute_uri("/cdn-cgi/access/logout").replace("http://", "https://")
104 | logger.info("redirecting to: %s" % logout_absolute_url)
105 | redirect_response = redirect(logout_absolute_url)
106 | redirect_response.delete_cookie(cf_sentry_logout_cookie_name)
107 | redirect_response.delete_cookie(cf_sentry_default_flow_cookie_name)
108 | return redirect_response
109 |
110 | def _proceed_with_token_verification(self, request):
111 | mandatory_settings = [settings.CLOUDFLARE_ACCESS_POLICY_AUD, settings.CLOUDFLARE_ACCESS_AUTH_DOMAIN]
112 | if None in mandatory_settings:
113 | logger.error("Middleware not configured, CLOUDFLARE_ACCESS_POLICY_AUD={0} CLOUDFLARE_ACCESS_AUTH_DOMAIN={1}".format(*mandatory_settings))
114 | return False
115 |
116 | extension = request.path.split(".")[-1]
117 | logger.debug("Testing extension: {0} (path: {1})".format(*[extension, request.get_full_path()]))
118 | if extension in static_resources_extension:
119 | logger.debug("Skipping middleware for static resources, extension: %s" % extension)
120 | return False
121 |
122 | if self._should_go_to_login_form(request):
123 | return False
124 |
125 | if self._is_already_authenticated(request):
126 | return False
127 |
128 | if cf_sentry_default_flow_cookie_name in request.COOKIES and request.COOKIES[cf_sentry_default_flow_cookie_name] == "1":
129 | return False
130 |
131 | return True
132 |
133 |
134 | def _get_token_payload_from_request(self, request):
135 | """
136 | Returns:
137 | Token paylod (claims) or None if no token is present.
138 | In case of invalid JWT a exception is raised.
139 | """
140 | token = ''
141 | if 'CF_Authorization' in request.COOKIES:
142 | token = request.COOKIES['CF_Authorization']
143 | else:
144 | return None
145 | keys = self._get_public_keys()
146 |
147 | error_messages = set()
148 | for key in keys:
149 | try:
150 | t = jwt.decode(token, key=key, audience=settings.CLOUDFLARE_ACCESS_POLICY_AUD)
151 | logger.debug("Token payload:")
152 | logger.debug(t)
153 | return t
154 | except Exception as e:
155 | logger.debug("Unable to validate JWT: %s" % e.message)
156 | error_messages.add(e.message)
157 | pass
158 |
159 | raise JWTValidationException("Unable to validate JWT: %s" % ", ".join(error_messages))
160 |
161 |
162 | def _get_public_keys(self):
163 | """
164 | Returns:
165 | List of RSA public keys usable by PyJWT.
166 | """
167 | r = requests.get(self._certs_url)
168 | public_keys = []
169 | jwk_set = r.json()
170 | for key_dict in jwk_set['keys']:
171 | public_key = jwt.algorithms.RSAAlgorithm.from_jwk(json.dumps(key_dict))
172 | public_keys.append(public_key)
173 | return public_keys
174 |
175 |
176 | def _is_already_authenticated(self, request):
177 | #Try checking the user, which may not exist in the request
178 | try:
179 | logger.info("authenticated user: %s" % request.user)
180 | logger.info("authenticated user ok: %s" % request.user.is_authenticated())
181 | if request.user == None:
182 | return False
183 |
184 | return request.user.is_authenticated()
185 | except:
186 | return False
187 |
188 |
189 | def _should_go_to_login_form(self, request):
190 | should_go_to_login = 'goToLogin' in request.GET
191 | logger.debug("should_go_to_login: %s" % should_go_to_login)
192 | return should_go_to_login
193 |
194 |
195 | def _render_error(self, request, message):
196 | context = {"message": message}
197 | return render_to_response("cloudflareaccess/error.html", context=context, request=request)
198 |
199 |
200 | class JWTValidationException(Exception):
201 | pass
--------------------------------------------------------------------------------
/sentry-docker-9x/LICENSE:
--------------------------------------------------------------------------------
1 |
2 | Apache License
3 | Version 2.0, January 2004
4 | http://www.apache.org/licenses/
5 |
6 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
7 |
8 | 1. Definitions.
9 |
10 | "License" shall mean the terms and conditions for use, reproduction,
11 | and distribution as defined by Sections 1 through 9 of this document.
12 |
13 | "Licensor" shall mean the copyright owner or entity authorized by
14 | the copyright owner that is granting the License.
15 |
16 | "Legal Entity" shall mean the union of the acting entity and all
17 | other entities that control, are controlled by, or are under common
18 | control with that entity. For the purposes of this definition,
19 | "control" means (i) the power, direct or indirect, to cause the
20 | direction or management of such entity, whether by contract or
21 | otherwise, or (ii) ownership of fifty percent (50%) or more of the
22 | outstanding shares, or (iii) beneficial ownership of such entity.
23 |
24 | "You" (or "Your") shall mean an individual or Legal Entity
25 | exercising permissions granted by this License.
26 |
27 | "Source" form shall mean the preferred form for making modifications,
28 | including but not limited to software source code, documentation
29 | source, and configuration files.
30 |
31 | "Object" form shall mean any form resulting from mechanical
32 | transformation or translation of a Source form, including but
33 | not limited to compiled object code, generated documentation,
34 | and conversions to other media types.
35 |
36 | "Work" shall mean the work of authorship, whether in Source or
37 | Object form, made available under the License, as indicated by a
38 | copyright notice that is included in or attached to the work
39 | (an example is provided in the Appendix below).
40 |
41 | "Derivative Works" shall mean any work, whether in Source or Object
42 | form, that is based on (or derived from) the Work and for which the
43 | editorial revisions, annotations, elaborations, or other modifications
44 | represent, as a whole, an original work of authorship. For the purposes
45 | of this License, Derivative Works shall not include works that remain
46 | separable from, or merely link (or bind by name) to the interfaces of,
47 | the Work and Derivative Works thereof.
48 |
49 | "Contribution" shall mean any work of authorship, including
50 | the original version of the Work and any modifications or additions
51 | to that Work or Derivative Works thereof, that is intentionally
52 | submitted to Licensor for inclusion in the Work by the copyright owner
53 | or by an individual or Legal Entity authorized to submit on behalf of
54 | the copyright owner. For the purposes of this definition, "submitted"
55 | means any form of electronic, verbal, or written communication sent
56 | to the Licensor or its representatives, including but not limited to
57 | communication on electronic mailing lists, source code control systems,
58 | and issue tracking systems that are managed by, or on behalf of, the
59 | Licensor for the purpose of discussing and improving the Work, but
60 | excluding communication that is conspicuously marked or otherwise
61 | designated in writing by the copyright owner as "Not a Contribution."
62 |
63 | "Contributor" shall mean Licensor and any individual or Legal Entity
64 | on behalf of whom a Contribution has been received by Licensor and
65 | subsequently incorporated within the Work.
66 |
67 | 2. Grant of Copyright License. Subject to the terms and conditions of
68 | this License, each Contributor hereby grants to You a perpetual,
69 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable
70 | copyright license to reproduce, prepare Derivative Works of,
71 | publicly display, publicly perform, sublicense, and distribute the
72 | Work and such Derivative Works in Source or Object form.
73 |
74 | 3. Grant of Patent License. Subject to the terms and conditions of
75 | this License, each Contributor hereby grants to You a perpetual,
76 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable
77 | (except as stated in this section) patent license to make, have made,
78 | use, offer to sell, sell, import, and otherwise transfer the Work,
79 | where such license applies only to those patent claims licensable
80 | by such Contributor that are necessarily infringed by their
81 | Contribution(s) alone or by combination of their Contribution(s)
82 | with the Work to which such Contribution(s) was submitted. If You
83 | institute patent litigation against any entity (including a
84 | cross-claim or counterclaim in a lawsuit) alleging that the Work
85 | or a Contribution incorporated within the Work constitutes direct
86 | or contributory patent infringement, then any patent licenses
87 | granted to You under this License for that Work shall terminate
88 | as of the date such litigation is filed.
89 |
90 | 4. Redistribution. You may reproduce and distribute copies of the
91 | Work or Derivative Works thereof in any medium, with or without
92 | modifications, and in Source or Object form, provided that You
93 | meet the following conditions:
94 |
95 | (a) You must give any other recipients of the Work or
96 | Derivative Works a copy of this License; and
97 |
98 | (b) You must cause any modified files to carry prominent notices
99 | stating that You changed the files; and
100 |
101 | (c) You must retain, in the Source form of any Derivative Works
102 | that You distribute, all copyright, patent, trademark, and
103 | attribution notices from the Source form of the Work,
104 | excluding those notices that do not pertain to any part of
105 | the Derivative Works; and
106 |
107 | (d) If the Work includes a "NOTICE" text file as part of its
108 | distribution, then any Derivative Works that You distribute must
109 | include a readable copy of the attribution notices contained
110 | within such NOTICE file, excluding those notices that do not
111 | pertain to any part of the Derivative Works, in at least one
112 | of the following places: within a NOTICE text file distributed
113 | as part of the Derivative Works; within the Source form or
114 | documentation, if provided along with the Derivative Works; or,
115 | within a display generated by the Derivative Works, if and
116 | wherever such third-party notices normally appear. The contents
117 | of the NOTICE file are for informational purposes only and
118 | do not modify the License. You may add Your own attribution
119 | notices within Derivative Works that You distribute, alongside
120 | or as an addendum to the NOTICE text from the Work, provided
121 | that such additional attribution notices cannot be construed
122 | as modifying the License.
123 |
124 | You may add Your own copyright statement to Your modifications and
125 | may provide additional or different license terms and conditions
126 | for use, reproduction, or distribution of Your modifications, or
127 | for any such Derivative Works as a whole, provided Your use,
128 | reproduction, and distribution of the Work otherwise complies with
129 | the conditions stated in this License.
130 |
131 | 5. Submission of Contributions. Unless You explicitly state otherwise,
132 | any Contribution intentionally submitted for inclusion in the Work
133 | by You to the Licensor shall be under the terms and conditions of
134 | this License, without any additional terms or conditions.
135 | Notwithstanding the above, nothing herein shall supersede or modify
136 | the terms of any separate license agreement you may have executed
137 | with Licensor regarding such Contributions.
138 |
139 | 6. Trademarks. This License does not grant permission to use the trade
140 | names, trademarks, service marks, or product names of the Licensor,
141 | except as required for reasonable and customary use in describing the
142 | origin of the Work and reproducing the content of the NOTICE file.
143 |
144 | 7. Disclaimer of Warranty. Unless required by applicable law or
145 | agreed to in writing, Licensor provides the Work (and each
146 | Contributor provides its Contributions) on an "AS IS" BASIS,
147 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
148 | implied, including, without limitation, any warranties or conditions
149 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
150 | PARTICULAR PURPOSE. You are solely responsible for determining the
151 | appropriateness of using or redistributing the Work and assume any
152 | risks associated with Your exercise of permissions under this License.
153 |
154 | 8. Limitation of Liability. In no event and under no legal theory,
155 | whether in tort (including negligence), contract, or otherwise,
156 | unless required by applicable law (such as deliberate and grossly
157 | negligent acts) or agreed to in writing, shall any Contributor be
158 | liable to You for damages, including any direct, indirect, special,
159 | incidental, or consequential damages of any character arising as a
160 | result of this License or out of the use or inability to use the
161 | Work (including but not limited to damages for loss of goodwill,
162 | work stoppage, computer failure or malfunction, or any and all
163 | other commercial damages or losses), even if such Contributor
164 | has been advised of the possibility of such damages.
165 |
166 | 9. Accepting Warranty or Additional Liability. While redistributing
167 | the Work or Derivative Works thereof, You may choose to offer,
168 | and charge a fee for, acceptance of support, warranty, indemnity,
169 | or other liability obligations and/or rights consistent with this
170 | License. However, in accepting such obligations, You may act only
171 | on Your own behalf and on Your sole responsibility, not on behalf
172 | of any other Contributor, and only if You agree to indemnify,
173 | defend, and hold each Contributor harmless for any liability
174 | incurred by, or claims asserted against, such Contributor by reason
175 | of your accepting any such warranty or additional liability.
176 |
177 | END OF TERMS AND CONDITIONS
178 |
179 | APPENDIX: How to apply the Apache License to your work.
180 |
181 | To apply the Apache License to your work, attach the following
182 | boilerplate notice, with the fields enclosed by brackets "[]"
183 | replaced with your own identifying information. (Don't include
184 | the brackets!) The text should be enclosed in the appropriate
185 | comment syntax for the file format. We also recommend that a
186 | file or class name and description of purpose be included on the
187 | same "printed page" as the copyright notice for easier
188 | identification within third-party archives.
189 |
190 | Copyright 2016 Functional Software, Inc.
191 |
192 | Licensed under the Apache License, Version 2.0 (the "License");
193 | you may not use this file except in compliance with the License.
194 | You may obtain a copy of the License at
195 |
196 | http://www.apache.org/licenses/LICENSE-2.0
197 |
198 | Unless required by applicable law or agreed to in writing, software
199 | distributed under the License is distributed on an "AS IS" BASIS,
200 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
201 | See the License for the specific language governing permissions and
202 | limitations under the License.
203 |
--------------------------------------------------------------------------------
/sentry-docker-9x/sentry.conf.py:
--------------------------------------------------------------------------------
1 | # This file is just Python, with a touch of Django which means
2 | # you can inherit and tweak settings to your hearts content.
3 |
4 | # For Docker, the following environment variables are supported:
5 | # SENTRY_POSTGRES_HOST
6 | # SENTRY_POSTGRES_PORT
7 | # SENTRY_DB_NAME
8 | # SENTRY_DB_USER
9 | # SENTRY_DB_PASSWORD
10 | # SENTRY_RABBITMQ_HOST
11 | # SENTRY_RABBITMQ_USERNAME
12 | # SENTRY_RABBITMQ_PASSWORD
13 | # SENTRY_RABBITMQ_VHOST
14 | # SENTRY_REDIS_HOST
15 | # SENTRY_REDIS_PASSWORD
16 | # SENTRY_REDIS_PORT
17 | # SENTRY_REDIS_DB
18 | # SENTRY_MEMCACHED_HOST
19 | # SENTRY_MEMCACHED_PORT
20 | # SENTRY_FILESTORE_DIR
21 | # SENTRY_SERVER_EMAIL
22 | # SENTRY_EMAIL_HOST
23 | # SENTRY_EMAIL_PORT
24 | # SENTRY_EMAIL_USER
25 | # SENTRY_EMAIL_PASSWORD
26 | # SENTRY_EMAIL_USE_TLS
27 | # SENTRY_EMAIL_LIST_NAMESPACE
28 | # SENTRY_ENABLE_EMAIL_REPLIES
29 | # SENTRY_SMTP_HOSTNAME
30 | # SENTRY_MAILGUN_API_KEY
31 | # SENTRY_SINGLE_ORGANIZATION
32 | # SENTRY_SECRET_KEY
33 | # (slack integration)
34 | # SENTRY_SLACK_CLIENT_ID
35 | # SENTRY_SLACK_CLIENT_SECRET
36 | # SENTRY_SLACK_VERIFICATION_TOKEN
37 | # (github plugin, sso)
38 | # GITHUB_APP_ID
39 | # GITHUB_API_SECRET
40 | # (github integration)
41 | # SENTRY_GITHUB_APP_ID
42 | # SENTRY_GITHUB_APP_CLIENT_ID
43 | # SENTRY_GITHUB_APP_CLIENT_SECRET
44 | # SENTRY_GITHUB_APP_WEBHOOK_SECRET
45 | # SENTRY_GITHUB_APP_PRIVATE_KEY
46 | # (azure devops integration)
47 | # SENTRY_VSTS_CLIENT_ID
48 | # SENTRY_VSTS_CLIENT_SECRET
49 | # (bitbucket plugin)
50 | # BITBUCKET_CONSUMER_KEY
51 | # BITBUCKET_CONSUMER_SECRET
52 | from sentry.conf.server import * # NOQA
53 | from sentry.utils.types import Bool, Int
54 |
55 | import os
56 | import os.path
57 | import six
58 |
59 | CONF_ROOT = os.path.dirname(__file__)
60 |
61 | postgres = env('SENTRY_POSTGRES_HOST') or (env('POSTGRES_PORT_5432_TCP_ADDR') and 'postgres')
62 | if postgres:
63 | DATABASES = {
64 | 'default': {
65 | 'ENGINE': 'sentry.db.postgres',
66 | 'NAME': (
67 | env('SENTRY_DB_NAME')
68 | or env('POSTGRES_ENV_POSTGRES_USER')
69 | or 'postgres'
70 | ),
71 | 'USER': (
72 | env('SENTRY_DB_USER')
73 | or env('POSTGRES_ENV_POSTGRES_USER')
74 | or 'postgres'
75 | ),
76 | 'PASSWORD': (
77 | env('SENTRY_DB_PASSWORD')
78 | or env('POSTGRES_ENV_POSTGRES_PASSWORD')
79 | or ''
80 | ),
81 | 'HOST': postgres,
82 | 'PORT': (
83 | env('SENTRY_POSTGRES_PORT')
84 | or ''
85 | ),
86 | },
87 | }
88 |
89 | # You should not change this setting after your database has been created
90 | # unless you have altered all schemas first
91 | SENTRY_USE_BIG_INTS = True
92 |
93 | # If you're expecting any kind of real traffic on Sentry, we highly recommend
94 | # configuring the CACHES and Redis settings
95 |
96 | ###########
97 | # General #
98 | ###########
99 |
100 | # Instruct Sentry that this install intends to be run by a single organization
101 | # and thus various UI optimizations should be enabled.
102 | SENTRY_SINGLE_ORGANIZATION = env('SENTRY_SINGLE_ORGANIZATION', True)
103 |
104 | #########
105 | # Redis #
106 | #########
107 |
108 | # Generic Redis configuration used as defaults for various things including:
109 | # Buffers, Quotas, TSDB
110 |
111 | redis = env('SENTRY_REDIS_HOST') or (env('REDIS_PORT_6379_TCP_ADDR') and 'redis')
112 | if not redis:
113 | raise Exception('Error: REDIS_PORT_6379_TCP_ADDR (or SENTRY_REDIS_HOST) is undefined, did you forget to `--link` a redis container?')
114 |
115 | redis_password = env('SENTRY_REDIS_PASSWORD') or ''
116 | redis_port = env('SENTRY_REDIS_PORT') or '6379'
117 | redis_db = env('SENTRY_REDIS_DB') or '0'
118 |
119 | SENTRY_OPTIONS.update({
120 | 'redis.clusters': {
121 | 'default': {
122 | 'hosts': {
123 | 0: {
124 | 'host': redis,
125 | 'password': redis_password,
126 | 'port': redis_port,
127 | 'db': redis_db,
128 | },
129 | },
130 | },
131 | },
132 | })
133 |
134 | #########
135 | # Cache #
136 | #########
137 |
138 | # Sentry currently utilizes two separate mechanisms. While CACHES is not a
139 | # requirement, it will optimize several high throughput patterns.
140 |
141 | memcached = env('SENTRY_MEMCACHED_HOST') or (env('MEMCACHED_PORT_11211_TCP_ADDR') and 'memcached')
142 | if memcached:
143 | memcached_port = (
144 | env('SENTRY_MEMCACHED_PORT')
145 | or '11211'
146 | )
147 | CACHES = {
148 | 'default': {
149 | 'BACKEND': 'django.core.cache.backends.memcached.MemcachedCache',
150 | 'LOCATION': [memcached + ':' + memcached_port],
151 | 'TIMEOUT': 3600,
152 | }
153 | }
154 |
155 | # A primary cache is required for things such as processing events
156 | SENTRY_CACHE = 'sentry.cache.redis.RedisCache'
157 |
158 | #########
159 | # Queue #
160 | #########
161 |
162 | # See https://docs.getsentry.com/on-premise/server/queue/ for more
163 | # information on configuring your queue broker and workers. Sentry relies
164 | # on a Python framework called Celery to manage queues.
165 |
166 | rabbitmq = env('SENTRY_RABBITMQ_HOST') or (env('RABBITMQ_PORT_5672_TCP_ADDR') and 'rabbitmq')
167 |
168 | if rabbitmq:
169 | BROKER_URL = (
170 | 'amqp://' + (
171 | env('SENTRY_RABBITMQ_USERNAME')
172 | or env('RABBITMQ_ENV_RABBITMQ_DEFAULT_USER')
173 | or 'guest'
174 | ) + ':' + (
175 | env('SENTRY_RABBITMQ_PASSWORD')
176 | or env('RABBITMQ_ENV_RABBITMQ_DEFAULT_PASS')
177 | or 'guest'
178 | ) + '@' + rabbitmq + '/' + (
179 | env('SENTRY_RABBITMQ_VHOST')
180 | or env('RABBITMQ_ENV_RABBITMQ_DEFAULT_VHOST')
181 | or '/'
182 | )
183 | )
184 | else:
185 | BROKER_URL = 'redis://:' + redis_password + '@' + redis + ':' + redis_port + '/' + redis_db
186 |
187 |
188 | ###############
189 | # Rate Limits #
190 | ###############
191 |
192 | # Rate limits apply to notification handlers and are enforced per-project
193 | # automatically.
194 |
195 | SENTRY_RATELIMITER = 'sentry.ratelimits.redis.RedisRateLimiter'
196 |
197 | ##################
198 | # Update Buffers #
199 | ##################
200 |
201 | # Buffers (combined with queueing) act as an intermediate layer between the
202 | # database and the storage API. They will greatly improve efficiency on large
203 | # numbers of the same events being sent to the API in a short amount of time.
204 | # (read: if you send any kind of real data to Sentry, you should enable buffers)
205 |
206 | SENTRY_BUFFER = 'sentry.buffer.redis.RedisBuffer'
207 |
208 | ##########
209 | # Quotas #
210 | ##########
211 |
212 | # Quotas allow you to rate limit individual projects or the Sentry install as
213 | # a whole.
214 |
215 | SENTRY_QUOTAS = 'sentry.quotas.redis.RedisQuota'
216 |
217 | ########
218 | # TSDB #
219 | ########
220 |
221 | # The TSDB is used for building charts as well as making things like per-rate
222 | # alerts possible.
223 |
224 | SENTRY_TSDB = 'sentry.tsdb.redis.RedisTSDB'
225 |
226 | ###########
227 | # Digests #
228 | ###########
229 |
230 | # The digest backend powers notification summaries.
231 |
232 | SENTRY_DIGESTS = 'sentry.digests.backends.redis.RedisBackend'
233 |
234 | ################
235 | # File storage #
236 | ################
237 |
238 | # Uploaded media uses these `filestore` settings. The available
239 | # backends are either `filesystem` or `s3`.
240 |
241 | SENTRY_OPTIONS['filestore.backend'] = 'filesystem'
242 | SENTRY_OPTIONS['filestore.options'] = {
243 | 'location': env('SENTRY_FILESTORE_DIR'),
244 | }
245 |
246 | ##############
247 | # Web Server #
248 | ##############
249 |
250 | # If you're using a reverse SSL proxy, you should enable the X-Forwarded-Proto
251 | # header and set `SENTRY_USE_SSL=1`
252 |
253 | if env('SENTRY_USE_SSL', False):
254 | SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
255 | SESSION_COOKIE_SECURE = True
256 | CSRF_COOKIE_SECURE = True
257 | SOCIAL_AUTH_REDIRECT_IS_HTTPS = True
258 |
259 | SENTRY_WEB_HOST = '0.0.0.0'
260 | SENTRY_WEB_PORT = 9000
261 | SENTRY_WEB_OPTIONS = {
262 | 'http': '%s:%s' % (SENTRY_WEB_HOST, SENTRY_WEB_PORT),
263 | 'protocol': 'uwsgi',
264 | # This is need to prevent https://git.io/fj7Lw
265 | 'uwsgi-socket': None,
266 | 'http-keepalive': True,
267 | 'memory-report': False,
268 | # 'workers': 3, # the number of web workers
269 | }
270 |
271 |
272 | ##########
273 | # Docker #
274 | ##########
275 |
276 | # Docker's environment configuration needs to happen
277 | # prior to anything that might rely on these values to
278 | # enable more "smart" configuration.
279 |
280 | ENV_CONFIG_MAPPING = {
281 | 'SENTRY_EMAIL_PASSWORD': 'mail.password',
282 | 'SENTRY_EMAIL_USER': 'mail.username',
283 | 'SENTRY_EMAIL_PORT': ('mail.port', Int),
284 | 'SENTRY_EMAIL_USE_TLS': ('mail.use-tls', Bool),
285 | 'SENTRY_EMAIL_HOST': 'mail.host',
286 | 'SENTRY_SERVER_EMAIL': 'mail.from',
287 | 'SENTRY_ENABLE_EMAIL_REPLIES': ('mail.enable-replies', Bool),
288 | 'SENTRY_EMAIL_LIST_NAMESPACE': 'mail.list-namespace',
289 | 'SENTRY_SMTP_HOSTNAME': 'mail.reply-hostname',
290 | 'SENTRY_SECRET_KEY': 'system.secret-key',
291 |
292 | # If you're using mailgun for inbound mail, set your API key and configure a
293 | # route to forward to /api/hooks/mailgun/inbound/
294 | 'SENTRY_MAILGUN_API_KEY': 'mail.mailgun-api-key',
295 |
296 | 'SENTRY_SLACK_CLIENT_ID': 'slack.client-id',
297 | 'SENTRY_SLACK_CLIENT_SECRET': 'slack.client-secret',
298 | 'SENTRY_SLACK_VERIFICATION_TOKEN': 'slack.verification-token',
299 |
300 | 'SENTRY_GITHUB_APP_ID': ('github-app.id', Int),
301 | 'SENTRY_GITHUB_APP_CLIENT_ID': 'github-app.client-id',
302 | 'SENTRY_GITHUB_APP_CLIENT_SECRET': 'github-app.client-secret',
303 | 'SENTRY_GITHUB_APP_WEBHOOK_SECRET': 'github-app.webhook-secret',
304 | 'SENTRY_GITHUB_APP_PRIVATE_KEY': 'github-app.private-key',
305 |
306 | 'SENTRY_VSTS_CLIENT_ID': 'vsts.client-id',
307 | 'SENTRY_VSTS_CLIENT_SECRET': 'vsts.client-secret',
308 | }
309 |
310 |
311 | def bind_env_config(config=SENTRY_OPTIONS, mapping=ENV_CONFIG_MAPPING):
312 | """
313 | Automatically bind SENTRY_OPTIONS from a set of environment variables.
314 | """
315 | for env_var, item in six.iteritems(mapping):
316 | # HACK: we need to check both in `os.environ` and `env._cache`.
317 | # This is very much an implementation detail leaking out
318 | # due to assumptions about how `env` would be used previously.
319 | # `env` will pop values out of `os.environ` when they are seen,
320 | # so checking against `os.environ` only means it's likely
321 | # they won't exist if `env()` has been called on the variable
322 | # before at any point. So we're choosing to check both, but this
323 | # behavior is different since we're trying to only conditionally
324 | # apply variables, instead of setting them always.
325 | if env_var not in os.environ and env_var not in env._cache:
326 | continue
327 | if isinstance(item, tuple):
328 | opt_key, type_ = item
329 | else:
330 | opt_key, type_ = item, None
331 | config[opt_key] = env(env_var, type=type_)
332 |
333 | # If this value ever becomes compromised, it's important to regenerate your
334 | # SENTRY_SECRET_KEY. Changing this value will result in all current sessions
335 | # being invalidated.
336 | secret_key = env('SENTRY_SECRET_KEY')
337 | if not secret_key:
338 | raise Exception('Error: SENTRY_SECRET_KEY is undefined, run `generate-secret-key` and set to -e SENTRY_SECRET_KEY')
339 |
340 | if 'SENTRY_RUNNING_UWSGI' not in os.environ and len(secret_key) < 32:
341 | print('!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!')
342 | print('!! CAUTION !!')
343 | print('!! Your SENTRY_SECRET_KEY is potentially insecure. !!')
344 | print('!! We recommend at least 32 characters long. !!')
345 | print('!! Regenerate with `generate-secret-key`. !!')
346 | print('!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!')
347 |
348 | # Grab the easy configuration first - these are all fixed
349 | # key=value with no logic behind them
350 | bind_env_config()
351 |
352 | # If you specify a MAILGUN_API_KEY, you definitely want EMAIL_REPLIES
353 | if SENTRY_OPTIONS.get('mail.mailgun-api-key'):
354 | SENTRY_OPTIONS.setdefault('mail.enable-replies', True)
355 |
356 | if 'GITHUB_APP_ID' in os.environ:
357 | GITHUB_EXTENDED_PERMISSIONS = ['repo']
358 | GITHUB_APP_ID = env('GITHUB_APP_ID')
359 | GITHUB_API_SECRET = env('GITHUB_API_SECRET')
360 |
361 | if 'BITBUCKET_CONSUMER_KEY' in os.environ:
362 | BITBUCKET_CONSUMER_KEY = env('BITBUCKET_CONSUMER_KEY')
363 | BITBUCKET_CONSUMER_SECRET = env('BITBUCKET_CONSUMER_SECRET')
364 |
365 |
366 |
367 | ####################################################
368 | # Cloudflare Access Plugin Setup and Configuration #
369 | ####################################################
370 | from sentry_cloudflare_access_auth.helper import setup_cloudflare_access_for_sentry_9x
371 | MIDDLEWARE_CLASSES, AUTHENTICATION_BACKENDS, TEMPLATE_DIRS = setup_cloudflare_access_for_sentry_9x(MIDDLEWARE_CLASSES, AUTHENTICATION_BACKENDS, TEMPLATE_DIRS)
372 |
373 | CLOUDFLARE_ACCESS_POLICY_AUD = os.getenv("CF_POLICY_AUD")
374 | CLOUDFLARE_ACCESS_AUTH_DOMAIN = os.getenv("CF_AUTH_DOMAIN")
375 |
376 | # Emails that match this domain will authorize with their Access JWT.
377 | # All other emails will be required authorize again with their Sentry credentials.
378 | #CLOUDFLARE_ACCESS_ALLOWED_DOMAIN = None
379 |
--------------------------------------------------------------------------------